CHAPTER - 3

INFORMATION SYSTEMS AND ITS COMPONENTS

People
Resources
Hardware

Computer
System

Components Software
Data
Resources

Networking and
Communication
System

Objectives Objectives of
Controls

Controls
INFORMATION
SYSYEM (IS) Classification Nature of
IS
Resources
Auditing
Environmental
Controls

Physical
Security Audit Functions
Controls

Logical Access
Audit Trail Controls

Managerial
Controls

Application
Controls

INTRODUCTION
We now have systems that are constantly exchanging information about various things and even about
us. This inter-networking of physical devices, vehicles, smart devices, embedded electronics, software,
sensors or any such device is often referred to as IOT (Internet of Things).
What is interesting about various emerging technologies is that at its core we have some key elements
namely, People, Computer Systems (Hardware, Operating System and other Software), Data
Resources, Networking and Communication System. In this chapter, we are going to explore each of
those key elements.
INFORMATION IS a combination of people, hardware, software, communication devices, and
SYSTEMS: network and data resources that processes (can be storing, retrieving,
transforming information or data and information for a specific purpose. The
system needs inputs from user (keying instructions and commands, typing,
scanning) Which will then be processed (calculating, reporting) using technology
devices such as computers, and produce output (printing reports, displaying
results) that will be sent to another user or other system via a network and a
feedback method that controls the operation.

The main aim and purpose of each IS to convert the data into information which is
useful and meaningful. An IS depends on the resources of people (end users and IS
specialists), hardware (machines and media), software (programs and
procedures), data (data and knowledge bases), and networks (communications
media and network support) to perform input, processing, output, storage, and
control activities that transform data resources into information products. This
information system model highlights the relationships among the components
and activities of information systems. It also provides a framework that
emphasizes four major concepts that can applied to all types of information
systems.
An Information System model comprises of following steps:
Input: Data is collected from an organization or from external environments and
converted into suitable format required for processing.

Process: A process is a series of steps undertaken to achieve desired outcome or

goal. Information Systems are becoming more and more integrated with
organizational processes, bringing more productivity and better control to those
processes.

Output: Then information is stored For future use or communicated to user after
application of respective procedure on it.

Functions of ISs

INPUT PROCESSING OUTPUT

(Business problems in (Software, Programs, (Solution to problems
the form of data, people, equipments, intheformofreports,
information, instructions, storage) graphics, calculations,
opportunities) voices)

CONTROL
(Decision Makers, FEEDBACK
Auto Control)
User

Fig. 3.2.1: Functions of Information Systems

Three basic activities of an information system that are defined above, helps enterprise in making
decisions, control operations, analyze problems and create new products or services as an output, as
shown in Fig. 3.2.1. Apart from these activities, information systems also need feedback that is
returned to appropriate members of the enterprises to help them to evaluate at the input stage.

COMPONENTS OF INFORMATION SYSTEM

With the help of information systems, enterprises and individuals can use computers to collect, store,
and process, analyze, and distribute information. There are different types of information systems, i.e.
Manual (paper and pencil) information system, Informal (word to mouth) information system, Formal
(written procedures) information system and Computer based information system. This chapter
mainly focuses on computer based IS [CBIS]. A CBIS is a combination of people, IT and business
processes that helps management in taking important decisions to carry out the business successfully.
IS are networks of hardware and software that people and organizations use to create, collect, filter,
process and distribute data. IS are interrelated components working together to collect, process, and
store and disseminate information to support decision-making, coordination, control, analysis and
visualization in an organization. An IS comprise of People, Hardware, Software, Data and Network for
communication support shown in Fig. 3.3.1.
Here, people mean the IT professionals i.e. system administrator, programmers and end users i.e. the
persons, who can use hardware and software for retrieving the desired information. The hardware
means the physical components of the computers i.e. server or smart terminals with different
configurations like corei3/corei5/corei7 processors etc. and software means the system software
(different types of operating systems e.g. UNIX, LINUX, WINDOWS etc.), application software (different
type of computer programs designed to perform specific task) and utility software (e.g. tools). The
data is the raw fact, which may be in the form of database. The data may be alphanumeric, text,
image, video, audio, and other forms. The network means communication media (Internet, Intranet,
Extranet etc.).

People Resources
While thinking about IS, it is easy to get too focused on the technological components and forget that
we must look beyond these tools at the whole picture and try to understand how technology
integrates into an organization. A focus on people involved in IS is the next step. From the helpdesk to
the system programmers all the way up to the Chief Information Officer (CIO), all of them are essential
elements of the information systems. People are the most important element in most CBIS. The
people involved include users of the system and IS personnel, including all the people who manage,
run, program, and maintain the system.
In the ever-changing world, innovation is the only key, which can sustain long-run growth. More and
more firms are realizing the importance of innovation to gain competitive advantage. Accordingly,
they are engaging themselves in various innovative activities. Understanding these layers of
information system helps any enterprise grapple with the problems it is facing and innovate to
perhaps reduce total cost of production, increase income avenues and increase efficiency of systems.

Computer System – Hardware and Software

Computer System: This can be thought of as combination of Hardware and Software.
I. Hardware: ISs hardware is the part of ISs that you can touch-the physical components of
technology. Computers, keyboards, hard drive etc.
II. Software: Software is a set of instructions that tells the hardware what to do.
Software is not tangible it cannot be touched.
When programmers create software, what they are really doing is simply typing out lists of
instructions that tell the hardware what to execute.
There are several categories of software, with the two main categories being
- Operating system software, which makes the hardware usable and
- Application software, which does something useful.
Examples of operating system software: Microsoft Windows, LINUX, etc.
Examples of application software: Microsoft Excel, Adobe Photoshop, Microsoft Power Point etc.

I. Hardware
Hardware is the tangible portion of our computer systems; something we can touch and see. It
basically consists of devices that perform the functions of input, processing, data storage and output
activities of the computer.
Typical hardware architecture consists of:
Input Input devices are used for providing data and instructions to computer. These are
devices : devices through which we interact with the systems and these include devices like
Keyboard, Mouse and other pointing devices, Scanners & Bar Code, MICR readers,
Webcams, Microphone and Stylus/ Touch Screen.
 Keyboard helps to provide text based input.
 Mouse helps to provide menu or selection based input
 Scanners & Webcams help in image based input
 Microphone helps to provide voice based input.
Processing It include computer chips that contain the Central Processing Unit and main memory.
devices. The Central Processing Unit (CPU or microprocessor) is the actual hardware that
interprets and executes the program (software) instructions and coordinates how all
the other hardware devices work together.
The CPU is built on a small flake of silicon and can contain the equivalent of several
million transistors.
We can think of transistors as switches which could be ’ON’ or ‘OFF’ i.e., taking a
value of 1 or 0. The processor or CPU is like the brain of the computer.
Data Refers to the memory where data and programs are stored. Various types of memory
storage techniques are as given:
Devices Internal Includes processer Registers and Cache memory.
memory Processor Registers: Registers are internal memory within CPU,
which are very fast and very small.
Cache memory: There is a huge speed difference between the speed
of Registers and Primary Memory. This results in a slow processing of
data as RAM provides data to CPU for processing at slow speed. To
bridge this speed difference or gap, the cache memory can be used.
The Cache (pronounced as cash) is a smaller size and faster memory.
This memory stores that copy of the data which is most frequently
used from main memory locations such that Processor/Registers can
access it faster than its access from main memory.
Primary These are devices in which any location can be accessed in any order
memory/Mai i.e. randomly (in contrast with sequential order). Two popular
n Memory. primarily memories are (i) RAM and (ii) ROM
RAM-  Volatile in nature (information is lost as soon as
Random power is turned off.)
Access  Purpose is to hold program and data while they are
memory in use
  Information can be read as well as modified.
 Responsible for storing the instructions and data
that the computer is using at that present moment
ROM-  Non Volatile in nature (contents are remain in the
Read Only system, even in absence of power.)
Memory  These are used to store small amount of
information for CPU for quick reference.
 Information can be read not modified.
 Generally used by manufacturers to store data and
programs that is used repeatedly. like translators
Secondary The main memory or primary memory is volatile in nature and it
memory used to store data and instruction being executed. These memories
cannot store data on permanent basis and these memories provide
small storage capacity. In addition to primary memories computer
uses secondary memories which provide permanent storage and
these memories are available in large capacity e.g. hard disk and
CD/DVD
These memories are known as secondary storage because these
memories are not directly accessible by CPU. Data in these
memories are transferred through RAM or primary memory.
Secondary storage does not lose the data when the device is
switched off or shut down i.e. it is a non-volatile memory. The
features of secondary memory devices are:
• Non-volatility (content can be stored permanently),
• Large capacity (these are available in large size e.g. hard
disk),
• Low cost (the cost of this type of memory is lower
compared to register and RAMs)
• Slow speed (slower in speed compared to registers or
primary storage).
Secondary storage devices can differ amongst each other in terms
of speed and access time, cost/ portability, capacity and type of
access. Based on these parameters most common types of
secondary storage are: USB Pen Drive, Memory Card, Floppy Disk,
Hard Disk, CD, DVD, Blue ray Disk and Smart card etc.
Virtual  Virtual Memory is not an actual memory but an imaginary
Memory memory area supported by some operating system like windows
 It is a memory technique which helps to execute big size
programs with small size available RAM.
 If a computer lacks the RAM needed to run a task, Windows uses
virtual memory to compensate.
 Virtual memory is combination of computer's RAM with
temporary space on the hard disk. When RAM runs low, virtual
memory moves data from RAM to a space called a paging file or
segmentation on hard disk.
  Moving data to and from the paging file, frees up RAM to
complete its work.
 Thus, Virtual memory is an allocation of hard disk space to help
RAM.

Virtual memory
Register cache Primary
Secondary Memory

Output Output devices are devices through which system responds.

Devices: Visual output devices like, a display device visually conveys text, graphics, and video
information.
Information shown on a display device is called soft copy because the information exists
electronically and is displayed for a temporary period. Display devices include CRT
monitors, LCD monitors and displays, gas plasma monitors, and televisions. Some types
of output are textual, graphical, tactile, audio, and video.
 Textual output comprises of characters that are used to create words,
sentences, and paragraphs.
 Graphical outputs are digital representations of non-text information such as
drawings, charts, photographs, and animation.
 Tactile output such as raised line drawings may be useful for some individuals
who are blind.
 Audio output is any music, speech, or any other sound.
 Video output consists of images played back at speeds to provide the
appearance of full motion.
Most common examples of output devices are Speakers, Headphones, Screen
(Monitor), Printer, Voice output, Video, Plotter, Wireless etc.

II. Software
Software is defined as a set of instructions that tell the hardware what to do. Software is created
through the process of programming. Without software, the hardware would not be functional.
Software can be broadly divided into two categories: Operating Systems Software and Application
Software as shown in the Fig. 3.3.3. Operating systems manage the hardware and create the interface
between the hardware and the user. Application software is the category of programs that do some
processing/task for the user.

SOFTWARE

Operating Systems Software Application Software

(a) Operating Systems Software

Computer programs or software used for managing computer hardware and provides platform for
running software applications is known as System Software. Operating system such as Window is a
most popular type of system software.
Operating System (OS):
 OS is a set of programs that manages computer hardware resources and overall operation of a
computer
 OS provides an interface to user for working on computer or for using computer applications
 Application programs require an OS which provides a platform or environment to user for
 executing application
 OS acts as an executive for computer systems that is it provides wide range of functions for
efficient management of computer system.
 Some prominent Operating systems in use nowadays are Windows 7, Windows 8, Linux, UNIX and
Android (for mobile phones), etc.

Functions of OS
The key functions provided by OS are as follow:
Performing OS helps in performing hardware tasks such as obtaining inputs from keyboards
hardware and mouse, access of data from hard disk & display of outputs on monitor. OS
functions: system acts as an intermediary between the application program and the
hardware.
User Interfaces: OS provides a user interface for working on a computer. Previously it used to
provide command based User Interface (CUI) i.e. text commands were given to
computer to execute any activity. Now-a-days OS provides Graphic User Interface
(GUI) which provides icons & menus for executing activities on a computer in a
user friendly manner e.g. Windows.
Hardware OS provides Application Program Interfaces (API) for connecting to different
Independence: types of hardware. That is OS provides internal code for writing programs to
configure any hardware with computer system.
Memory OS provides efficient memory management by providing the required memory
Management: (RAM) space for the files and programs to be executed and reclaim the space
once the files or programs are closed. Operating systems also provides Virtual
Memory by creating an area of hard disk to supplement the memory capacity of
RAM. In this way OS augments RAM memory by creating a virtual RAM.
Task OS can execute many tasks simultaneously and it maintains track of resources
Management: used by multiple jobs/tasks being executed simultaneously. In case of multitasks
execution, OS maintains track of tasks to be executed by providing a queue and
scheduling these tasks for execution by same CPU.
Networking OS provides many features and capabilities and these features help configuring
Capability: computers for network and internet connection.
For example, network and internet feature in control panel of Window 8 helps to
configure network and internet connectivity.
Logical access Operating system provides many security features.
security: For example, it provides features like user identification & user authentication
through a User ID and Password.
File management: OS does efficient file management by allowing users to give appropriate name to
file and provide folders or directories for files management. It does efficient
allocation of space for file storage and allows features like multi-sharing for same
file, etc.

(b) Application Software

As the personal computer proliferated inside organization, control over the information generated by
the organization began splintering.
Say the customer service department creates a customer database to keep track of calls and problem
reports, and the sales department also creates a database to keep track of customer information.
Which one should be used as the master list of customers? As another example, someone in sales
might create a spreadsheet to calculate sales revenue, while someone in finance creates a different
one that meets the needs of their department.
However, it is likely that the two spreadsheets will come up with different totals for revenue. Which
one is correct? And who is managing all this information? To resolve these issues, various specific
purpose applications were created.
Application software includes all that computer software that causes a computer to perform useful
tasks beyond the running of the computer itself.
It is a collection of programs which address a real-life problem of its end users which may be business
or scientific or any other problem.
Application Suite like MS Office 2010 which has MS Word, MS Excel, MS Access, etc.;
Enterprise Software like SAP; Content Access Software like Media Players, Adobe Digital etc. are some
examples of Application Software.

3. Data Resources
You can think of data as a collection of facts.
For example, your street addresses, the city you live in a new phone number are all pieces of data. Like
software, data is also intangible. By themselves, pieces of data are not very useful. But aggregated
and organized together into a database, data can become a powerful tool for businesses.
For years’ business houses, have been gathering information with regards to customers, suppliers,
business partners, markets, cost, and price movement and so on. After collection of information for
years’ companies have now started analyzing this information and creating important insights out of
data.
Data is now helping companies to create strategy for future. This is precisely the reason why we have
started hearing a lot about data analytics in past few years.

Data:
- Data are the raw pieces of information with no context.
- Data can be quantitative or qualitative.
- Quantitative data is numeric, the result of a measurement, count, or some calculation.
- Qualitative data is descriptive.
For ex: if I tell you my favorite number is 5, that is qualitative data because it is descriptive, not the
result of a measurement or mathematical calculation but a number can be quantitative data also.
Data is not useful by itself. To make it useful, it needs to be given in some context.
Returning to the example above, if I told you that ‘15, 23, 14, and 85" are the numbers of students that
had registered for upcoming classes that would-be information. By adding the context – that the
numbers represent the count of students registering for specific classes – I have converted data into
information.
Once we have put our data into context, aggregated and analyzed it, we can use it to make decisions
for our organization.
We can say that this consumption of information produces knowledge.
This knowledge can be used to make decisions, set policies, and even spark innovation.

Database:
The goal of many IS is to transform data into information to generate knowledge that can be used
for decision making.
 To do this, the system must be able to take data, put the data into context, and provide tools for
aggregation and analysis.
A database is designed for just such a purpose.
- A database is an organized collection of related information.
- It is called an organized collection because in a database all data is described and associated
with other data.
- All information in a database should be related as well; separate databases should be created
to manage unrelated information.
For example, a database that contains information about students should not also hold information
about company stock prices.

Database Management Systems (DBMS):

To achieve the above objectives, we use Data Base Management System. Let’s think of a DBMS as
basically just a computerized record keeping.
Database is just an electronic filing cabinet i.e., a collection of computerized data files. Even this
simple system helps us do various operations on the files, such as:
o Adding new files to database,
o Deleting existing files from database,
o Inserting data in existing files,
o Modifying data in existing files,
o Deleting data in existing files, and
o Retrieving or querying data from existing files.

DBMS may be defined as software that aid in organizing, controlling and using the data needed by
the application programme. They provide the facility to create and maintain a well-organized
database. Applications access the DBMS, which then accesses the data.
Commercially available Data Base Management Systems are Oracle, MySQL, SQL Servers and DB2 etc.
Microsoft Access and Open Office Base are examples of personal database- management systems.
These systems are primarily used to develop and analyze single- user databases. These databases are
not meant to be shared across a network or the Internet, but are instead installed on a device and
work with a single user at a time.

Database Models:
Databases can be organized in many ways, and thus take many forms. A database model is a type
of data model that determines the logical structure of a database and fundamentally determines in
which manner data can be stored, organized and manipulated. Let’s now look at the database
model hierarchy.

Hierarchy of database is as under:

o Database: This is a collection of Files.
o File: This is a collection of Records.
o Record: This is a collection of Fields.
o Field: This is a collection of Characters.
o Characters: These are a collection of Bits.
This hierarchy is shown in the below figure:
 Account Code Account Head Group head
RECORD 11001 Travelling Expenses
11002 Printing Expenses
MASTER
11003 Repairs Expenses ACCOUNT
FILE
FIELD

Some prominent database models are as follows:

A. Hierarchical Database Model:

 In a Hierarchical Database Model, records are logically organized into a hierarchy of
relationships.
 A hierarchically structured database is arranged logically in an inverted tree pattern.
 For example, an equipment database, diagrammed in Fig. 3.3.6 may have building records,
room records, equipment records, and repair records.
 The database structure reflects the fact that repairs are made to equipment located in rooms
that are part of buildings.

Fig. 3.3.6: Hierarchical Database Model

 All records in hierarchy are called Nodes. Each node is related to the others in a parent-child
relationship.
 Each parent record may have one or more child records, but no child record may have more than
one parent record. Thus, the hierarchical data structure implements one-to-one and one-to-
many relationships.
 The top parent record in the hierarchy is called the Root Record. In this example, building
records are the root to any sequence of room, equipment, and repair records. Entrance to this
hierarchy by the DBMS is made through the root record i.e., building.
 Records that ‘own’ other records are called Parent Records. For example, room records are the
parents of equipment records. Room records are also children of the parent record, building.
There can be many levels of node records in a database.
B. Network Database Model: The network model is a variation on the hierarchical model, in the sense
that branches can be connected to multiple nodes. The network model can represent redundancy
in data more efficiently than in the hierarchical model.
 A network database structure views all records in sets.
 Each set is composed of an owner record and one or more member records.
 However, unlike the hierarchical mode, the network model also permits a record to be a
member of more than one set at one time.
 The network model would permit the equipment records to be the children of both the room
records and the vendor records.
 This feature allows the network model to implement the many-to-one and the many-to- many
relationship types.
For example, suppose that in our database, it is decided to have the following records: repair
vendor records for the companies that repair the equipment, equipment records for the various
machines we have, and repair invoice records for the repair bills for the equipment. Suppose four
repair vendors have completed repairs on equipment items 1,2,3,4,5,6,7 and 8. These records
might be logically organized into the sets shown in Figure.

C. Relational Database Model:

A Relational Database allows the definition of data and their structures, storage and retrieval
operations and integrity constraints that can be organized in a table structure.
A table is a collection of records and each record in a table contains the same fields, which define
the nature of the data stored in the table. A record is one instance of a set of fields in a table.
Three key terms are used extensively in relational database models:
- Relations, A relation is a table with columns and rows.
- Attributes, The named columns of the relation are called attributes, and
- Domains. The domain is the set of values the attributes can take.
In a relational database, all the tables are related by one or more fields, so that it is possible to
connect all the tables in the database through the fields they have in common. For each table, one of
the fields is identified as a Primary Key, which is the unique identifier for each record in the table.
Keys are commonly used to join or combine data from two or more tables.
Popular examples of relational databases are Microsoft Access, MySQL, and Oracle.
D. Object Oriented Data Base Model:
It is based on the concept that the world can be modelled in terms of objects and their
interactions. Objects are entities conveying some meaning for us and possess certain attributes to
characterize them and interacting with each other.
An Object-Oriented Database provides a mechanism to store complex data such as images, audio
 and video, etc.
An object- oriented database (also referred to as object-oriented DBMS or OODBMS) is a set of
objects.
In these databases, the data is modeled and created as objects.
An OODBMS helps programmers make objects created in a programming language behave as a
database object.
Object-oriented programming is based on a series of working objects.
Each object is an independently functioning application or program, assigned with a specific task or
role to perform.
An OODBMS is a relational database designed to manage all these independent programs, using
the data produced to quickly respond to requests for information by a larger application.
In the below Figure, the light rectangle indicates that 'engineer’ is an object possessing
attributes like ‘date of birth’, ‘address’, etc. which is interacting with another object known as ‘civil
jobs’. When a civil job is commenced, it updates the ‘current job’ attribute of the object known as
‘engineer’, because ‘civil job’ sends a message to the latter object.

Civil Job Team

Part of structure

Engineer
Engineer ID
Date of Birth Civil Jobs
Address
Employment Date
Current job
Experience

Class of structure

Civil Engineer Architect

Advantages of DBMS
Major advantages of DBMS are given as follows:
1. Permitted Data Sharing: DBMS provides features to share the data of entire organization by
various users concurrently or simultaneously ex. Railway Reservation etc.
2. Reduced Redundancy: In non-database system (File System), each application or department has
its own private files resulting in considerable amount of redundancy of the stored data. Thus
storage space is also wasted. By having a centralized database or data in linked tables by DBMS,
the data redundancy can be avoided.
3. Data Integrity can be maintained: Data integrity can be maintained by having accurate, consistent
and up-to-date data. Updates to data can only have to be made in one place in DBMS to ensure
integrity.
4. Program and file consistency: by using DBMS, file formats are standardized. This makes the data
 files easier to maintain because the same rules are applied across all types of data. This ensure
program and file consistency.
5. Improved Security: DBMS provide various security features which can be used for providing a
secured database e.g. User authentication and Access Controls through password etc.
6. User friendly: DBMS makes the data access and manipulation easier for user in a user friendly
manner.
7. Data Independence: Data stored in DBMS provide data independence, in DBMS data does not
reside in applications but on database which are independent of each other.

Disadvantages of a DBMS;
There are basically two major downsides to using DBMSs. One is cost and other is threat to data
security. These are given as under.
1. Cost: implementing a DBMS system can be expensive and time-consuming. Especially in large
entities. Training requirements is quite costly.
2. Security: Even with safeguards in place, it may be possible for some unauthorized users to access
the database. If any unauthorized user can get access to database, he can make unauthorized
alteration or modification to data.

Some Related Concepts of Database

Big Data:
The term refers to such massively large data sets that conventional database tools do not have the
processing power to analyze them.
For example, Wal-Mart must process over one million customer transactions every hour. Storing and
analyzing that much data is beyond the power of traditional DBMS tools. Understanding the best
tools and techniques to manage these large data is a problem that governments and businesses
are trying to solve.
Benefits of Big Data Processing are as follows:
Ability to process Big Data  Businesses can utilize outside intelligence while taking decisions.
brings in multiple benefits,
such as  Access to social data from search engines and sites like Facebook,
Twitter are enabling organizations to fine tune their business
strategies.
 Early identification of risk to the product/services, if any
Improved customer service  Traditional customer feedback systems are getting replaced by new
systems designed with Big Data technologies. In these new systems,
Big Data and natural language processing technologies are being
used to read and evaluate consumer responses.
Better operational  Integration of Big Data technologies and data warehouse helps an
efficiency organization to offload infrequently accessed data, this leading to
better operational efficiency.

Data Warehouse:
As organizations, have begun to utilize databases as the center piece of their operations, the
need to fully understand and leverage the collected data has become more and more apparent.
organizations also want to analyze data in a historical sense: How does the data we have today
compare with the same set of data this time last month, or last year? From these needs arose the
concept of the data warehouse.
 The concept of the data warehouse is simple:
- Extract data from one or more of the organization’s databases and load it into the data
warehouse (which is itself another database) for storage and analysis.
- However, the execution of this concept is not that simple.
A data warehouse should be designed so that it meets the following criteria:
 It uses non-operational data. This means that the data warehouse is using a copy of data from the
active databases that the company uses in its day- to-day operations, so the data warehouse must
pull data from the existing databases on a regular, scheduled basis.
 The data is time-variant. This means that whenever data is loaded into the data warehouse, it
receives a time stamp, which allows for comparisons between different time periods.
 The data is standardized. Because the data in a data warehouse usually comes from several
different sources, it is possible that the data does not use the same definitions or units. For
example, our Events table in our Student Clubs database lists the event dates using the mm/dd/
yyyy format (e.g., 01/10/2013). A table in another database might use the format yy/mm/dd
(e.g.13/01/10) for dates. For the data warehouse to match up dates, a standard date format would
have to be agreed upon and all data loaded into the data warehouse would have to be converted
to use this standard format. This process is called Extraction-Transformation-Load (ETL).
 There are two primary schools of thought when designing a data warehouse:
Bottom-Up and Top-Down.
 The Bottom-Up Approach starts by creating small data warehouses, called data marts, to solve
specific business problems. As these data marts are created, they can be combined into a
larger data warehouse.
 The Top-Down Approach suggests that we should start by creating an enterprise-wide data
warehouse and then, as specific business needs are identified, create smaller data marts from
the data warehouse.

Centralized view of Data Warehouse

Benefits of Data Warehouse
Organizations find data warehouses quite beneficial for several reasons:
  The process of developing a data warehouse forces an organization to better understand the
data that it is currently collecting and what data is not being collected.
 A data warehouse provides a centralized view of all data and provides a means for identifying data
that is inconsistent.
 Once all data is identified as consistent, an organization can generate one version of the truth.
Such as revenue or number of employees.
 By having a data warehouse, snapshots of data can be taken over time. This creates a historical
record of data, which allows for an analysis of trends.
 A data warehouse provides tools to combine data, which can provide new information and
analysis.

Data Mining:
Data Mining is the process of analyzing data to find previously unknown trends, patterns to make
decisions. Generally, data mining is accomplished through automated means against large data
sets, such as a data warehouse.
Some examples of data mining include:
 An analysis of sales from a large grocery chain might determine that milk is purchased more
frequently the day after it rains in cities with a population of less than 50,000.
 A bank may find that loan applicants whose bank accounts show particular deposit and
withdrawal patterns are not good credit risks.
 A baseball team may find that collegiate baseball players with specific statistics in hitting,
pitching, and fielding make for more successful major league players.
In some cases, a data-mining project is begun with a hypothetical result in mind.
For example, a grocery chain may already have some idea that buying patterns change after it rains
and want to get a deeper understanding of exactly what is happening.
In other cases, there are no presuppositions and a data-mining program is run against large data sets
to find patterns and associations.

The Steps involved in the Data Mining process are as follows:

Data Integration: Firstly, the data are collected and integrated from all the different sources.
Data Selection: It may be possible that all the data collected may not be required in the first
step. So, in this step we select only those data which we think useful for
data mining.
Data Cleaning: The data that is collected are not clean and may contain errors, missing
values, noisy or inconsistent data. Thus, we need to apply different
 techniques to get rid of such anomalies.
Data Transformation: The data even after cleaning are not ready for mining as it needs to be
transformed into an appropriate form for mining using different techniques
like – smoothing, aggregation, normalization etc.
Data Mining: In this, various data mining techniques are applied on the data to discover
the interesting patterns. Techniques like clustering and association analysis
are among the many different techniques used for data mining.
Pattern Evaluation and This step involves visualization, transformation, removing redundant
Knowledge patterns etc. from the patterns we generated.
Presentation:
Decisions/Use of This step helps user to make use of the knowledge acquired to take better
Discovered decisions.
Knowledge:

In some cases, a data-mining project is begun with a hypothetical result in mind. For example, a
grocery chain may already have some idea that buying patterns change after it rains and want to get a
deeper understanding of exactly what is happening. In other cases, there are no presuppositions and a
data-mining program is run against large data sets to find patterns and associations.

Networking and Communication Systems

In today’s high speed world, we cannot imagine an IS without an effective communication system.
Effective and efficient communication is a valuable resource which helps in good management. To
enable this communication, we need communication networks.
Telecommunications give an organization the capability to move information rapidly between distant
locations and to provide the ability for the employees, customers, and suppliers to collaborate from
anywhere.
Through telecommunications, this value may be:
(i) An increase in the efficiency of operations;
(ii) Improvements in the effectiveness of management; and
(iii) Innovations in the marketplace.
Computer Network is a collection of computers and other hardware interconnected by
communication channels that allow sharing of resources and information.
A network is a group of devices connected to each other.
Network and Communication System: These consist of both physical devices and software, links the
various pieces of hardware and transfers the data from one physical location to another. Computers
and communications equipment can be connected in networks for sharing voice, data, images, sound
and video. A network links two or more computers to share data or resources such as a printer.
Every enterprise needs to manage its information in an appropriate and desired manner.
The enterprise must do the following for this:
 Knowing its information needs;
 Acquiring that information;
 Organizing that information in a meaningful way;
 Assuring information quality; and
 Providing software tools so that users in the enterprise can access information they require.
Each component, namely the computer in a computer network is called a ‘Node’. With desire for
faster and better processing power, existing computer systems are connected to each other to form a
computer network which allows them to share CPU, I/O devices, storages, etc.
In real world, we see numerous networks like Telephone/ mobile network, postal networks etc. If we
look at these systems. We can analyze that networks could be of two types:
 Connection oriented networks: Wherein a connection is first established and then data is
exchanged like it happens in case of telephone networks.
 Connectionless Networks: Where no prior connection is made before data exchanges. Data which
is being exchanged in fact has a complete contact information of recipient and at each
intermediate destination, it is decided how to proceed further like it happens in case of postal
networks.
These real-world networks have helped model computer networks. Each of these networks is modeled
to address the following basic issues:
 Routing: It refers to the process of deciding on how to communicate the data from source to
destination in a network.
 Bandwidth: It refers to the amount of data which can be sent across a network in given time.
 Resilience: It refers to the ability of a network to recover from any kind of error like connection
failure, loss of data etc.
 Contention: It refers to the situation that arises when there is a conflict for some common resource
in a network. For example, network contention could arise when two or more computer systems
try to communicate at the same time.
The following are the important benefits of a computer network
Distributed nature of There would be many situations where information must be distributed
information: geographically. E.g. in the case of Banking Company, accounting
information of various customers could be distributed across various
branches but to make Consolidated Balance Sheet at the year- end, it
would need networking to access information from all its branches.
Resource Sharing: Data could be stored at a central location and can be shared across
different systems. Even resource sharing could be in terms of sharing
peripherals like printers, which are normally shared by many systems. E.g.
In the case of a CBS, Bank data is stored at a Central Data Centre and could
be accessed by all branches as well as ATMs
Computational The computational power of most of the applications would increase
Power: drastically if the processing is distributed amongst computer systems. For
example: processing in an ATM machine in a bank is distributed between
ATM machine and the central Computer System in a Bank, thus reducing load
on both.
Reliability Many critical applications should be available 24×7, if such applications are run
across different systems which are distributed across network then the
reliability of the application would be high. E.g. In a city, there could be
multiple ATM machines so that if one ATM fails, one could withdraw money
from another ATM.
User communication: Networks allow users to communicate using e-mail, newsgroups, video
conferencing, etc.
Telecommunications may provide these values through the following impacts:
(a) Time compression: Telecommunications enable a firm to transmit raw data and information quickly
and accurately between remote sites.
(b) Overcoming geographical dispersion: Telecommunications enable an organization with
geographically remote sites to function like a single unit. The firm can then reap benefits of scale
and scope which would otherwise be unobtainable.
(c) Restructuring business relationships: Telecommunications make it possible to create systems
which restructure the interactions of people within a firm as well as a firm’s relationships with its
customers.

INFORMATION SYSTEMS CONTROLS

Control is defined as Policies, procedures, practices and enterprise structure that are designed to
provide reasonable assurance that business objectives will be achieved and undesired events are
prevented, detected and corrected.
Some of the critical control lacking in a computerized environment are as follows:
 Lack of management understanding of IS risks and related controls;
 Absence or inadequate IS control framework;
 Absence of weak general controls and IS controls;
 Lack of awareness and knowledge of IS risks and controls amongst the business users and even IT
staff;
 Complexity of implementation of controls in distributed computing environments and extended
enterprises;
 Lack of control features or their implementation in highly technology driven environments; and
 Inappropriate technology implementations or inadequate security functionality in technologies
implemented.

CLASSIFICATION OF IS CONTROLS
Internal controls can be classified into various categories to illustrate the interaction of various groups
in the enterprise and their effect on ISs on different basis. These categories have been represented in
the Fig.

Classification of IS’ Controls

Objective of Controls
• Preventive
• Detective
• Corrective

Nature of IS Resource
• Environmental
• Physical Access
• Logical Access

Audit Functions
• Managerial
• Application

Classification of IS Controls

Classification based on “Objective of Controls”

The controls per the time that they act, relative to a security incident can be classified as under:
Q: What do you mean by Detective Controls? Explain with the help of Examples.
Q: What are the main characteristics of Detective controls which are designed to detect errors,
omissions or malicious acts that occur? (Nov 2016, 4 marks, CA FINAL)
 Class of Meaning Characteristics Example
controls:
Preventive Preventive controls are -An understanding about the -Firewalls,
Controls: those which are designed vulnerabilities of asset. -antivirus software ,
to prevent occurrence of -Understanding probable threats Passwords,
any error/Omission or -Provision of necessary controls for -Segregation of duties,
malicious act. probable threats from -access control,
materializing. -Training to Staff etc.
-authorization of
transactions.
Detective These controls are -Clear understanding of lawful -Duplicate checking of
Control : designed to detect & /unlawful activities so that calculations
Report errors/omissions anything which is unlawful is -Periodic performance
or malicious acts. reported. reporting.
-An established mechanism to -The internal audit
report unlawful activities to the functions
appropriate person. -Intrusion detection
-Interaction with the preventive system
control to prevent such acts from -Cash counts and bank
occurring reconciliation
-Surprise checks by supervisor -Hash total
Corrective Corrective controls are -Minimize the impact of the threat -Contingency planning
Controls : designed to reduce the -Identify the cause of the problem -Backup procedure
impact or correct error -Remedy problems discovered by -Return procedure
once it has been detective controls -Treatment procedures
detected. -Get feedback from preventive and for a disease
detective controls
-Correct error arising from a
problem.

Classification on the basis of Nature of IS Resources:

ENVIRONMENTAL CONTROLS
These are the controls relating to It environment such as power, AC, UPS, smoke detectors, fire-
extinguishers etc. below enlists all the environmental exposures and their controls.
(i) Controls for Environmental Exposures

Environmental Controls for environmental exposure

exposure
Fire damage Major way of protecting the installation against fire:
 Both automatic and manual fire alarms may be placed at strategic location.
 Besides control panel, master switches may be installed for power and fire
suppression system.
 Manual fire extinguisher can be placed at strategic location.
 Fire proof walls, ceilings surrounding the computer rooms.
 Fire exit should be clearly marked.
 All staff member should know how to use all the fire protection system.
 Less wood and plastic material in computer room.
 Use gas based fire suppression system.
 Location of computer room should be strategically planned, should not be
located in basement or ground floor.
 Regular inspection by fire department.
  Documented and Tested emergency evacuation Plans: procedure should be
laid for controlled shutdown of the computer in an emergency, further saving
human life should given prime importance.
 Smoke Detectors: Smoke detectors are placed above or below ceiling, Upon
activation it produce audible alarm and linked to monitoring station.
 Wiring placed in electrical panels and Conduit (pipeline): electrical fires are
always at a risk. To reduce the risk of such fire, wiring should be placed in the
fire resistant panel and conduit. (pipeline)
Electrical These include risk of damages that may be caused due to electrical faults. These
Exposures include non-availability of electricity, spikes (temporary very high voltages),
fluctuations of voltage and other such risk.
 The risk of damage due t6o power spikes can be reduced to great extent by
using electrical surge protectors.
 UPS/Generator: in case of power failures, the UPS provides the backup by
providing electrical power from battery to the computer. Generator: For a
long period non availability of power.
 Power supply variation: voltage regulators protect the hardware from
temporary increase or decrease of power.
 Emergency power off switch: Two switches, one at computer Room and
other outside the computer Room – to trigger a shutdown in case of
emergency.
Water Damage  Water damage to a computer installation can be the outcome of water pipes
burst. It may also results from other sources such as cyclones, tornadoes,
floods etc.
 Some of the major ways of protecting the installations against water
damage are as follows:
 Wherever possible have waterproof ceilings, walls and floors;
 Ensure an adequate positive drainage system exists;
 Install alarms at strategic points within the installation;
 In flood areas have the installation above the upper floor.
 Water proofing and
 Water leakage alarms.
Pollution  The major pollutant in a computer installation is dust. Dust caught between
Damage and the surfaces of magnetic tape / disk and the reading and writing heads may
others cause either permanent damage to data or read / write errors.
Some of the other controls are as follows:
 Power lead from two substations: so that interruption of one power supply
does not adversely affect electrical supply.
 Prohibition against eating, drinking and Smoking within the information
processing facility: by putting a sign board on the entry door.

PHYSICAL ACCESS CONTROLS

This includes abuse of data processing resources; blackmail; embezzlements, damage or theft to
equipment’s or documents public disclosures of sensitive information; and unauthorized entry.
A. Control for Physical Access Exposures:

Physical access Meaning

Controls
1 Locks on Doors: May be in the form of
1. Combination Door Lock :( Cipher locks): The Cipher locks consist of a ten
 numbered pushbutton panel that is planted near the door. To enter, a person
has to press a four digit number, and the door will unlock usually within ten to
thirty seconds.
Some Cipher locks are coded with a person’s handprint. Matching handprints
unlocks the door.
2. Bolting Door Locks: A special metal key is used to unlock the door. To avoid
illegal entry, the keys should not be duplicated.
3. Electronic Door Locks: A magnetic chip based plastic card (like smart cards)
or tokens may be entered into a sensor reader to gain access into the system.
The device upon reading the special code activates the door locking
mechanism.
2 Physical 1. Personal Identification Number: (PIN) A secret number will be assigned to
Identification the individual & his entry will be match with the PIN no. available in the
Medium security database.
2. Plastic cards: These cards are used for identification purpose. Customers
should safeguard their card so that it does not fall into unauthorized hands.
3. Identification badge: Special badge can be issued to visitors, colour of badge
can be different for easy identification, and photo Ids can also be utilized.
3 Logging of 1. Manual logging: Recording of visitor’s access in a manual register with
access particular like name, company details, contact number and signature.
2. Electronic logging: here users logging can be monitored and the unsuccessful
attempts being highlighted.
4 Other means of Video Camera located at strategic places and details footage is
controlling cameras/CCTVs monitored at control rooms, The footage are backed up
physical access: for a long period of time for future need.
Security Guard Physical monitoring of visitors accessing the facilities.
Controlled visitor A responsible employee should attend all visitors, Visitors
access may be friends, maintenance personnel, vendors,
consultants or external auditors.
Bonded personnel All service/contract staff whether cleaning staff or
otherwise should be asked to sign a bond to reduce the
risk arising out of financial exposure to the organisation.
Dead man door These are a pair of Doors, the authorized user should open
the first door, he enters a holding area, the door behind
him closes, and then the door in front of him to enter, The
holding area is so designed so that only one person can
stand at a time - thus there is no risk of an unauthorized
person following an authorized person.
Non exposure of There should not be any indication sign or advertisement
sensitive facilities to computer room,
Controlled single All incoming personnel can use controlled single point
point of entry entry that should be monitored by receptionist. Multiple
entry point may increase the chance of unauthorused
entry.
Computer These locks ensure that the device to the desk is not
terminal lock turned on or disengaged by unauthorised person.
Alarm System Illegal entry may be restrictrd by raising an alarm system,
security personnel should able to hear the alarm.
Perimeter fencing Fencing at boundry may also facilitates security
mechanism.
Control of out of Employees who are out of office for a long time during
hours of the office hours should be monitored carefully. Their
 employees. movements must be noted and reported to the concerned
officials frequently.
Secured Secured carts, such as mail carts, must be covered and
Report/Document locked ans should always be attended.
Distribution Cart

LOGICAL ACCESS CONTROLS

Logical access controls are the system-based mechanisms used to designate who or what is to have
access to a specific system resource and the type of transactions and functions that are permitted.
(a) Technical Exposures: Technical exposures include unauthorized implementation or modification of
data and software. Technical exposures include the following:
Data diddling It involves the change of data before or during the time of entry into the system and
the worst part is that it occurs before computer security can protect data.
Bomb It is a piece of bad program code intentionally planted by an insider/outsider. A
logical event triggers a bomb (logic bomb) or a bomb may be time based (time
bomb). The bomb explodes when the conditions of explosion get fulfilled and cause
the damage immediately.
However these programs cannot infect other programs.
Ex. if my employee number does not appear in payroll, delete payroll file.
Ex. if Friday & date 13, delete Employee Master file.
Christmas It is a well known example of Trojans. It was detected on internal E-mail of IBM
Card system. On typing the word Christmas, it will draw the Christmas tree as expected,
but in addition, it will send copies of similar output to all other users connected to
the network. Because of this message on the terminals, other users cannot save their
half-finished work.
Worms Worms are also malicious program like Trojans, but the difference is that they copy
itself to another machine/system on the network. They can be detected easily in
comparison to Trojans and computer viruses.
Worms can perform some useful tasks. For example, worms can be used in the
installation of a network. A node, which does not indicate the presence of the worm
for quite some time, can be assumed as not connected to the network.
Rounding This refers to rounding of small fractions of a denomination and transferring these
down small fractions into an authorized account. As the amount is small it gets rarely
noticed. Rs.2,35,445.65/- may be rounded down to Rs.2,35,445.60/-.
Salami This involves slicing of small amounts of money from a transaction and is similar to
technique the rounding down technique. A Salami technique is slightly different in the sense a
fixed amount is deducted.
For example, in the rounding down technique, Rs. 21, 23,456.39 is truncated to 21,
23,456.00 depending on the calculation.
Trap Doors Trap Doors allow insertion of specific logic, such as program interrupts that permit a
review of data. They also permit insertion of a specific logic.
Spoofing A spoofing attack involves forging one’s source address. One machine is used to
impersonate the other in spoofing technique.
Spoofing occurs only after a particular machine has been identified as vulnerable.

(c) Asynchronous attacks: may occur when data moved across telecommunication line.
Data leakage Data leakage involves leaking information out of the computer by means of stealing
information from computer by copying into external media like CDs, USB Pen drives,
or taking printouts etc.
Subversive An intruders attempt to violate the integrity of some components in the sub system.
Threats: Subversive attack can provide intruders with important information about messages
being transmitted and the intruder can manipulate these messages in many ways.
Wire Tapping Involves spying on information (listening of information) transmitted over a
telecommunication network.
Piggy backing Refers to an act of following authorized users through a secured door or attaching to
a telecommunication link to capture and alter transmission.
This involves intercepting communication between the operating system and the
user and modifying them or substituting new messages.

PIGGY BACKING
HACKERS observe
message-read content HACKERS- Capture Modify Contents or
message from Mr.A add content.
from Mr. A

Internet / Communication
facilities

Mr. A Internet/ Communication facilities Miss. B Mr. A Miss. B

Q: Who are the persons behind these kinds of logical violations?

Logical access violators are often the same people who exploit physical exposures, although the skills
needed are more technical and complex.
 Hackers-Hackers try their best to overcome restrictions to prove their ability. They never try to
misuse the computer intentionally.
 Employees (authorized or unauthorized) or former employees.
 IS Personnel – they have easiest to access to computerized information since they are custodians
of this information. Segregation of duties and supervision help to reduce the logical access
violations.
 End Users, Competitors, Foreigners, Organized criminals, Crackers, Part-time and Temporary
Personnel, Vendors and consultants etc.
(IV) Some of the Logical access controls are listed below:
User Access  User registration: Information about every user is documented. The
Management following questions are to be answered:
Why is the user granted the access?,
Has the data owner approved the access?, and
Has the user accepted the responsibility? etc.
The de-registration process is also equally important.
 Privilege Management: Access privileges are to be aligned with job
requirements and responsibilities.
 User password management: Password management refers to Allocations,
storage, revocation, and reissue of password. User should aware about
password management.
 Review of user access rights: A user's need for accessing information
 changes with time and requires a periodic review of access rights since
user’s current job profile may change from earlier.
User User awareness and responsibility is also an important factor:
Responsibilities  Password use: Mandatory use of strong passwords to maintain
confidentiality.
 Unattended user equipment: Users should ensure that none of the
equipment under their responsibility is ever left unprotected. They should
also secure their PCs with a password, and should not leave it accessible
to others.
Network Access This can be achieved through the following means:
Control  Policy on use of network services: An enterprise wide policy should be
framed f o r internet service requirements & i t s h o u l d b e aligned
with the business need.
 Enforced Path: Based on risk assessment, it is necessary to specify the
exact path or route connecting the networks; e.g., internet access by
employees will be routed through a firewall.
 Segregation of networks: Based on the sensitive information say a VPN
connection between a branch office and the head-office, this network is
to be isolated from the internet usage service
 Network connection and routing control: The traffic between networks
should be restricted, based on identification of source and
authentication policies implemented across the system.
 Security of network services: the techniques of authentication and
authorization policy should be implemented across the organization’s
network.
 Firewall: Organization connected to the internet & intranet often
implements an electronic firewall to insulate their network from outsiders.
A Firewall is a system that enforces access control between two networks.
All traffic between private & public network should pass through firewall.
Only authorized traffics are allowed through firewall. Can be used to
insulate internal access also.
 Encryption: It is conversation of data into secret code for data stored in
database or data moving across the transmission line. The sender use an
encryption algorithm to convert the original message i.e. clear text is being
converted into Cipher Text. Again this is decrypted at the receiver end, i.e.
the cipher text again converted into clear text by using the same algorithm.
The encryption algorithm uses a KEY. The more bits in the key, stronger is
the encryption algorithms. Two general approaches used are Private key
encryption & Public key encryption.
 Call Back devices: The call-back device requires the user to enter a
password and then the system breaks the connection. If the caller is
authorized, the call back device dials the caller’s number to establish new
connection. This prevents an intruder masquerading as a legitimate user.
Actually, it is based on the principle that key to network security is to keep
the intruders off the intranet rather than imposing security measures after
 criminal has connected to the intranet.
Operating Operating System is the computer control program. It allows users and their
system Access applications to share and access common computer resources, such as
Control processor, main memory, database and printers.
Automated terminal identification
 This will help to ensure that a particular session could only be initiated from a
particular location or computer terminal.
Terminal Log-in Procedure
 A first line defense against unauthorized access. When a user enters log-in ID
& password for the purpose of entering into the system, the systems
compares to a database of valid user & authorize to enter into the system. If
password and login Id is entered incorrectly, then after a no. of specified
attempt, system should lock the user.
Access Token
 If log-in is successful, OS creates an access token that contain privilege (Access
rights) granted to that user. The inf. In the access token is used to approve all
actions attempted by the user.
Access Control List
 It contains information that defines the access privilege for all valid users. OS
compares a match between Access token & access control list, it there is a
match, user is granted access.
Discretionary Access Control:
 System owner may be granted some discretionary access control, which
allows them to grant access privilege to other users. For e.g. The controller of
General Ledger may grant Read only access to Budgeting Dept while Accounts
manager may be granted Both Read only & write permission.
User Identification and authentication:
 The users must be identified and authenticated in a foolproof
manner. Depending on risk assessment, more stringent methods like
Biometric Authentication or Cryptographic means should be employed.
Password management system
 An OS could enforce selection of good password and the password file
should not be accessible to users.
Use of system utilities
 System utilities are the programs that help to manage critical
functions of the OS e.g. addition or deletion of users. Obviously, this
utility should not be accessible to a general user. Use and access to
these utilities should be strictly controlled and logged.
Duress alarm to safeguard users
 If users are forced to execute some instruction under threat, the
system should provide a means to alert the authorities.
Terminal time out
 Log out the user if the terminal is inactive for a defined period. This
will prevent misuse in absence of the legitimate user.
Limitation of connection time:
  Define the available time slot. Do not allow any transaction beyond this
time period. For ex: no computer access after 8:00 pm and before 8:00
am or Sunday.
Application and Information access restriction:
Monitoring  A user is allowed to access only to those items, s/he is authorized to
system Access access. Controls are implemented on the access rights of users, For
Control example, read, write, delete, and execute. And ensure that sensitive
output is sent only to authorized terminals and locations.
Sensitive system isolation
 Based on the critical constitution of a system in an enterprise, it may
even be necessary to run the system in an isolated environment.
Event logging
 All incoming and outgoing requests along with attempted access should
be recorded in a transaction log. The log should record the user ID,
the time of the access and the terminal location from where the
request has been originated.
Monitor system use
 A constant monitoring of some critical systems is essential. Define the
details of types of accesses, operations, events and alerts that will be
monitored. The extent of monitoring and periodicity will depend upon risk
factors.
Clock synchronization
 The need for synchronizing clock time across the network as per a
standard time is mandatory for correlating an event with time and
generating report on it.
Controls when In today’s organizations, computing facility is not restricted to a particular
mobile data centre alone. Ease of access on the move provides efficiency and
results in additional responsibility on the management to maintain
information security.
Theft of data carried on the disk drives of portable computers is a high risk
factor. Both physical and logical access to these systems is critical.
Information is to be encrypted and access identifications like fingerprint,
eye-iris, and smart cards are necessary security features.

Classification based on “Audit Functions”

Auditors might choose to factor systems in several different ways. Auditors have found two ways to be
especially useful when conducting ISs audits. These are discussed below:

A. Managerial Controls: In this part, we shall examine controls over the managerial controls that must
be performed to ensure the development, implementation, operation and maintenance of ISs in a
planned and controlled manner in an organization. The controls at this level provide a stable
infrastructure in which ISs can be built, operated, and maintained on a day- to-day basis.
1. Top management and IS management controls:
Top management is responsible for preparing a master plan for the IS function. The senior managers
who take responsibility for IS function in an organisation face many challenges. The major functions
 that a senior manager must perform are as follows:
(a) Planning This includes determining the goals of the IS function and the means of
achieving these goals
The steering committee shall comprise of representatives from all areas of
the business, and IT personnel. The committee would be responsible for
- The overall direction of IT.
- Overall responsibility for the activities of the IS function.
(a) Organizing There should be a prescribed IT organizational structure with documented
roles and responsibilities and agreed job descriptions.
This includes gathering, allocating, and coordinating the resources needed to
accomplish the goals that are established during Planning function.
(b) Leading This includes motivating, guiding, and communicating with personnel. The
process of leading requires managers to motivate subordinates, direct them
and communicate with them.
(c) Controlling This includes comparing actual performance with planned performance as a
basis for taking any corrective actions. This involves determining when the
actual activities of the IS functions deviate from the planned activities.

2. SYSTEM DEVELOPMENT MANAGEMENT CONTROLS:

System development management has responsibility for the functions concerned with analyzing,
designing, building, implementing and maintaining IS. System Development controls are targeted to
ensure that proper documentation and authorizations are available for each phase of the system
development process.
The six activities discussed below deal with system development controls in IT setup. These are
given as follows:
System All systems must be properly authorized to ensure economic justification &
Authorization feasibility. New system request should be submitted in written form.
Activities
User specification User must be actively involved in system development process.
Activities
Technical Design It translates the user specifications into a set of detailed technical
Activities specifications that meet user needs.
Internal Auditors The internal Auditor plays an important role in the control of systems
participation: development activities. The auditor makes conceptual suggestion regarding
control requirements. The auditor involve in all the phases of SDLC including
maintenance phase.
Program testing All program modules are thoroughly tested before implementation. The
results of the test are compared against predetermined results to identify
programming & logical errors.
User test & Before implementation, the individual modules of the system must be tested
acceptance as a whole. A test team should be formed consist of users, system
procedure professional & internal audit personnel. Once the team gets satisfied, system
is formally accepted.
3. PROGRAMMING MANAGEMENT CONTROLS:
The purpose of control during software development is to monitor progress against plan and to
 ensure that the software released is authentic, accurate and complete.
Phases of Program Development Life Cycle:
Phase Controls
Planning: Techniques like WBS (Work breakdown structures) and PERT (program
evaluation and review technique) can be used to monitor progress against plan.
Control: The control phase has two major purposes:
- Progress in various phases should be monitored against plan and corrective
action should be taken.
- Control should be exercised over software development, acquisition, and
implementation task to ensure software released is authentic, accurate and
complete.
Design: A systematic approach like structured design or object oriented design is
adopted.
Coding: Programmer must choose a module integration strategy (like top down, bottom
up), a coding strategy (like structured programming) and documentation
strategy (to ensure program code is easily readable and understandable)
Testing: Three types of testing can be done:
 Unit testing: focus on individual program module
 Integration testing: focus on groups of program module.
 Whole of program testing: focus on whole program.
Operation and Mgt establish formal mechanism to monitor the status of operational program
Maintenance: so need of maintenance can be identified on a timely basis. Three types of
maintenance.
 Repair maintenance: in which program errors are corrected;
 Adaptive maintenance: in which the program the program is modified to
meet changing user requirement.
 Perfective maintenance: in which the program is tuned to decrease the
resource consumption.

4. Data Resource management control:

Many organizations now recognize that data is a critical resource that must be managed properly
and therefore, accordingly, centralized planning and control is essential.
For data to be managed better; users must be able to
- Share data;
- Data must be available to users when it is needed
- In the location where it is needed, and
- In the form in which it is needed.
Further it must be possible to modify data easily and the integrity of the data preserved. If data
repository system is used properly, it can enhance data and application system reliability. It must
be controlled carefully, however, because the consequences are serious if the data definition is
compromised or destroyed. Careful control should be exercised over the roles by appointing
senior, trustworthy persons, separating duties to the extent possible and maintaining and
monitoring logs of the data administrator’s and database administrator’s activities.

5. Quality assurance management Controls:

Quality assurance Management is concerned with ensuring that the

  IS produced by the IS function achieve certain quality goals; and
 Development. Implementation and maintenance of IS comply with asset of quality standards.

Quality Assurance (QA) personnel should work to improve the quality of information systems
produced, implemented, operated, and maintained in an organization. They perform a
monitoring role for management to unsure that –
 Quality goals are established and understood clearly by all stakeholders; and
 Compliance occurs with the standards that are in place to attain quality information systems.

6. SECURITY MANAGEMENT CONTROL:

Information security Administrator are responsible for ensuring that IS assets categorized under
personnel, hardware, software, documentations, data, applications, facilities are secure.
Assets are secure when the expected losses that will occur over some time, are at acceptable level.
The control’s classification based on “Nature of information System Resources – Environmental
Controls, Physical Controls and Logical Access Controls are all security measures against the
possible threats. However, despite the controls on place, there could be a possibility that a control
might fail. Disasters are events / incidents that are so critical that has capability to hit business
continuity of an entity in an irreversible manner.
When disaster strikes, there is a need to recover critical assets and recover operations and
mitigate losses using the last resort controls - A DRP and Insurance.
A comprehensive DRP comprise four parts, an emergency plan, A backup plan, A recovery plan and
a Test plan. The plan lays down the policies, guidelines, and procedure for all IS personnel.
Adequate insurance must be able to replace IS assets and to cover the extra costs associated with
restoring normal operations.
BCP controls are related to having an operational and tested IT continuity plan which is in line with
overall BCP. So that it can be ensured that It services are available as required and to ensure
minimum impact on business in the event of major disruption.

G: OPERATION MANAGEMENT CONTROL

Operation management is responsible for the daily running of hardware and software facilities.
Operation management typically performs controls over the functions below:
(a) Computer These controls govern the activities that directly support the day-to-day
Operation: execution of either test or production systems on the hardware/software
platform available.
Three types of controls fall under this category:
Operation controls: These controls prescribe the functions of human
operators or automated operations.
Scheduling controls: These controls prescribe how jobs are to be
scheduled on a hardware/software platform.
Maintenance controls: these controls prescribe how hardware is to be
maintained in good operating order.
(b) Network This includes the proper functioning of network operations and
Operations: monitoring the performance of network.
Data may be lost or corrupted through component failure. The primary
components in the communication sub-systems are given as follows:
o Communication lines viz. twisted pair, coaxial cables, fiber optics,
microwave and satellite etc.
o Hardware – ports, modems, multiplexers, switches and concentrators
 etc.
oSoftware – Packet switching software, polling software, data
compression software etc.
Due to component failure, transmission between sender and receiver
may be disrupted or destroyed in the communication system
(c)Data Irrespective of whether the data is obtained directly from customers or
Preparation and indirectly from source documents, facilities should be designed to
Entry: promote speed and accuracy of data entry.
(d)Production This includes the major functions like - receipt and dispatch of input and
Control: output; job scheduling; management of SLA with users; and acquisition
of computer consumables.
(e)File Library: This includes the management of an organization’s machine-readable
storage media like magnetic tapes, cartridges, and optical disks.
(f)Documentation This involves that documentation librarians ensure that
and Program - documentation is stored securely;
Library: - that only authorized personnel gain access to documentation;
- that documentation is kept up-to-date and
- That adequate backup exists for documentation.
The documentation may include reporting of responsibility and authority
of each function; Definition of responsibilities and objectives of each
functions; Reporting responsibility and authority of each function;
Policies and procedures; Job descriptions and Segregation of duties:
(g)Help This assists end-users to employ end-user hardware and software such
Desk/Technical as micro-computers, spreadsheet packages, database management
support: packages etc. and also provides the technical support.
(h)Capacity Regular performance monitoring facilitates the capacity planning
Planning and wherein the resource deficiencies must be identified well in time so that
Performance they can be made available when they are needed.
Monitoring:
(i)Management This has the responsibility for carrying out day-to-day monitoring of the
of Outsourced outsourcing contract.
Operations:

Application controls and their categories:

B. Application Controls and their Categories :
These include the programmatic routines within the application program code. The objective of
application controls is to ensure that data remains complete, accurate and valid during its input,
update and storage.
The specific controls could include form design, source document controls, input, processing and
output controls, media identification, movement and library management, data back-up and
recovery, authentication and integrity, legal and regulatory requirements.
Any function or activity that works to ensure the processing accuracy of the application can be
considered an application control.
Different Application Controls are as follows:
I. Boundary Controls: The major controls of the boundary system are the access control mechanisms
that links the authentic users to the authorized resources, they are permitted to access. The
boundary subsystem establishes the interface between the would-be user of a computer system
and the computer itself.
Q: Explain major boundary control techniques in brief? (RTP, M-12)
Q: what Boundary control Techniques should be used in User Controls? (May 2013, 5 marks)
Boundary Control are:
Cryptography: This technique encrypts data (clear text) into cryptograms (Cipher text) codes. The
three techniques of cryptography are
 Transposition (i.e. Change the order of character within the data For Ex. KILL
THEM ON MONDAY can be transposed into LLIK MEHT NO YADNOM )
 Substitution (i.e. replace Text with key text, For Ex. A, B, C …Z can be
substituted with Z, Y, X……..A.) and
 Product cipher: (i.e. combination of Transposition & substitution.)
Passwords: Few things should be noted regarding passwords control are minimum password
length, avoid use of common dictionary words, use of special characters should be
promoted, periodic change of passwords, encryption of passwords & no. of entry
attempts should be logged.
PIN: Similar to password generated randomly, independent of user identification.
Therefore a password should be secured while delivery, transmission and storage.
Identity cards: I cards store user information that are generally required in an authentication
process.
Biometric Biometric Identification e.g. thumb and finger impression, eye retina are also used
devices: as boundary control techniques.

INPUT CONTROLS: Input controls are divided onto following broad classes.
Q: Explain three levels of input validation controls in detail. [PM]
Q: Discuss major processing controls in brief. [PM]

Input Controls

Source Batch
Data coding Validation
Document
Controls Controls Controls
Controls

Transcription Transposition Field

error error interoogation

Single Record
addition
transposition Interrogation

Double File
Truncation
transposition Interrogation

Substitution
INPUT CONTROLS
1. Source Fraud can be implemented on source document to manipulate entries or to remove
Document assets. To control against this type of exposure, the organization must implement
Controls control procedure over source documents to account for each document, as described.
2.Data coding Two types of errors can corrupt a data code and cause processing error. These are
Controls transcription & Transposition error.
Transcription These fall into three classes.
error a) Addition: when an extra digit is added Like 3256 can be coded as
32569
b) Truncation: when a digit is removed from the end. Like 3256 can
be coded as 325.
c) Substitution: replacement of one digit in a code with another.
Like3256 can be coded as 3258.
Transposition There are two types of transposition error.
error a) Single transposition: when two adjacent digits are reversed. Like
32568 can be coded as 35268.
b) Multiple Transposition: when non-adjacent digits are transposed.
Like 32568 can be coded as 52386.
Any of these errors can cause serious problem in data processing it
they go undetected.
For example: a sales order for customer 12345 that is transposed into
12354 will be posted to wrong customer’s account.
3. Batch Batching is the process of grouping together transactions that bear same type of
Control relationship to each other.
Three types of control totals can be calculated.
 Financial Totals: Grand totals calculated fro each field containing monetary amount.
 Hash Totals: Grand totals calculated for any code on a document in the batch; e.g.
source document serial no. can be totaled.
 Record Count: Grand totals for the number of documents in the batch.
4.Validation Input validation controls are intended to detect error in the transaction data before the
Controls data are processed. There are three levels of input validation controls:
Field It involves programmed procedures that examine the characters of the
Interrogation data in the field. This includes the checks like Limit Check (against
predefined limits), Picture Checks (against entry into processing of
incorrect/invalid characters), valid check codes (against predetermined
transactions codes, tables) etc.
Record This includes the reasonableness check (Whether the value specified in
interrogation a field is reasonable for that particular field?); Valid Sign (to determine
which sign is valid for a numeric field) and Sequence Check (to follow a
required order matching with logical records.)
File This includes version usage; internal and external labeling; data file
Interrogation security; file updating and maintenance authorization etc.

Communication Controls: These discuss exposures in the communication subsystem, controls over
physical components, communication line errors, flows, and links, topological controls, channel access
controls, controls over subversive attacks, internetworking controls, communication architecture
controls, audit trail controls, and existence controls. Some communication controls are as follows:
(a) Physical Component Controls: These controls incorporate features that mitigate the possible
effects of exposures.
(b) Line Error Control: Whenever data is transmitted over a communication line, recall that it can
be received in error because of attenuation distortion, or noise that occurs on the line. These
errors must be detected and corrected.
(c) Flow Controls: Flow control are needed because two nodes in a network can differ in terms of
the rate at which they can send, received, and process data. For example, a main frame can
transmit data to a microcomputer terminal.
(d) Link Controls: In Wide Area Network (WAN), line error control and flow control are important
functions in the component that manages the link between two nodes in a network.
(e) Channel Access Controls: Two different nodes in a network can compete to use a
communication channel. Whenever the possibility of contention for the channel exists, some
type of channel access control technique must be used.

PROCESSING CONTROLS:
The processing subsystem is responsible for computing, sorting, classifying, and summarizing data. Its
major components are the Central Processor in which programs are executed, the real or virtual
memory in which program instructions and data are stored, the operating system that manages
system resources, and the application programs that execute instructions to achieve specific user
requirements. Some of these controls are as follows:
(i) Processor Controls: Table 3.4.6 enlists the Controls to reduce expected losses from errors and
irregularities associated with Central processors are:
Controls to reduce expected losses from errors and irregularities associated with Central processors
Control Explanation
Error Occasionally, processors might malfunction. The causes could be design errors,
Detection manufacturing defects, damage, fatigue, electromagnetic Interference and ionizing
and radiation. The failure might be transient (that Disappears after a short period),
Correction intermittent (that reoccurs periodically), or permanent (that does not correct with
time). For the transient and intermittent errors; retries and re-execution might be
successful, whereas For permanent errors, the processor must halt and report error.
Multiple It is important to determine the number of and nature of the execution states
Execution enforced by the processor. This helps auditors to determine which user processes
States will be able to carry out unauthorized activities, such as gaining access to sensitive
data maintained in memory regions assigned to the operating system or other user
processes.
Timing An operating system might get stuck in an infinite loop. In the absence of any
Controls control, the program will retain use of processor and prevent other programs from
undertaking their work.
Component In some cases, processor failure can result in significant losses. 3edundant
Replication processors allow errors to be detected and corrected. If processor failure is
permanent in multicomputer or multiprocessor architectures, the system might
reconfigure itself to isolate the failed processor.

(ii) Real Memory Controls: This comprises the fixed amount of primary storage in which programs or
data must reside for them to be executed or referenced by the central processor. Real memory
controls seek to detect and correct errors that occur in memory cells and to protect areas of
memory assigned to a program from illegal access by another program.

(iii) Virtual Memory Controls: Virtual Memory exists when the addressable storage space is larger than
the available real memory space. To achieve this outcome, a control mechanism must be in place
that maps virtual memory addresses into real memory addresses.
(iv) Data Processing Controls: These perform validation checks to identify errors during processing of
data. They are required to ensure both the completeness and the accuracy of data being
processed. Normally, the processing controls are enforced through the database management
system that stores the data. However, adequate controls should be enforced through the front-
end application system also to have consistency in the control process.

Database Controls
Protecting the integrity of a database when application software acts as an interface to interact
between the user and the database, are called Update Controls and Report Controls.
Major Update Controls are as follows:
Sequence Check between Synchronization and the correct sequence of processing
Transaction and Master Files: between the master file and transaction file is critical to
maintain the integrity of updating, insertion or deletion of
records in the master file with respect to the transaction
records. If errors, in this stage are overlooked, it leads to
corruption of the critical data.
Ensure All Records on Files are While processing, the transaction file records mapped to the
processed: respective master file, and the end-of-file of the transaction file
with respect to the end-of-file of the master file is to be
ensured.
Process multiple transactions Multiple transactions can occur based on a single master record
for a single record in the correct (e.g. dispatch of a product to different distribution centers).
order: Here, the order in which transactions are processed against the
product master record must be done based on a sorted
transaction codes.
Maintain a suspense account: When mapping between the masters records to transaction
record results in a mismatch due to failure in the corresponding
record entry in the master record; then these transactions are
maintained in a suspense account.

Major Report Controls are as follows:

Standing Data: Application programs use many internal tables to perform various
functions like gross pay calculation, billing calculation based on a price
table, bank interest calculation etc. Maintaining integrity of the pay rate
table, price table and interest table is critical within an organization.
Print-Run-to Run Run-to-Run control totals help in identifying errors or irregularities like
control Totals: record dropped erroneously from a transaction file, wrong sequence of
updating or the application software processing errors.
Print Suspense Similar to the update controls, the suspense account entries are to be
Account Entries: periodically monitors with the respective error file and action taken on
time.
Existence/Recovery The back-up and recovery strategies together encompass the controls
Controls: required to restore failure in a database. Backup strategies are
implemented using prior version and logs of transactions or changes to
the database. Recovery strategies involve roll-forward (current state
database from a previous version) or the roll-back (previous state database
from the current version) methods.

Output Controls
Output Controls ensure that the data delivered to users will be presented, formatted and delivered in
a consistent and secured manner. Output can be in any form, it can either be a printed data report or a
database file in a removable media. Various output Controls are as follows:
Storage and Logging Pre-printed stationery should be stored securely to prevent unauthorized
of sensitive, critical destruction or removal and usage.
forms
Logging of output When programs used for output of data are executed, these should be
program executions: logged and monitored; otherwise confidentiality/integrity of the data may
be compromised.
Spooling/Queuing “Spool” is an acronym for “Simultaneously Peripherals Operations Online.”
This is a process used to ensure that user can continue working, while the
print operation is getting completed. A queue is the list of document
waiting to be printed on a particular printer, this should not be subject to
unauthorized modifications.
Controls over printing Outputs should be made on the correct printer and it should be ensured
that unauthorized disclosure of information printed does not take place.
Report Distribution Distribution of reports should be made in a secure way to prevent
and Collection unauthorized disclosure of data. It should be made immediately after
Controls. printing to ensure that the time gap between generation and distribution is
reduced. A log should be maintained for reports that were generated and
to whom these were distributed. Retention Controls: Retention controls
consider the duration for which outputs should be retained before being
destroyed. Retention control requires that a date should be determined
for each output item produced.

Communication Controls: These discuss exposures in the communication subsystem, controls over
physical components, communication line errors, flows, and links, topological controls, channel access
controls, controls over subversive attacks, internetworking controls, communication architecture
controls, audit trail controls, and existence controls. Some communication controls are as follows:
Physical These controls incorporate features that mitigate the possible effects of
Components exposures.
Controls
Line Error Whenever data is transmitted over a communication line, recall that it can be
controls received in error because of attenuation distortion, or noise that occurs on the
line. These errors must be detected and corrected.
Flow Controls Flow controls are needed because two nodes in a network can differ in terms of
the rate at which they can send, received, and process data. For example, a
main frame can transmit data to a microcomputer terminal.
Link controls In Wide Area Network (WAN), line error control and flow control are important
functions in the component that manages the link between two nodes in a
network.
Channel Access Two different nodes in a network can compete to use a communication channel.
Controls Whenever the possibility of contention for the channel exists, some type of
channel access control technique must be used.

INFORMATION SYSTEM AUDITING

IS Auditing is defined as the process of attesting objectives (those of the external auditor) that focus
on asset safeguarding, data integrity and management objectives (those of the internal auditor) that
include effectiveness and efficiency both. This enables organizations to better achieve four major
objectives that are as follows:
Asset Safeguarding The IS assets (hardware, software, data information etc.) must be
Objectives: protected by a system of internal controls from unauthorized access.
Data Integrity Objectives: It is a fundamental attribute of IS Auditing. The importance to
maintain integrity of data of an organization requires all the time. It is
also important from the business perspective of the decision maker,
competition and the market environment.
System Effectiveness Effectiveness of a system is evaluated by auditing the characteristics
Objectives: and objective of the system to meet business and user requirements.
System Efficiency Objectives: To optimize the use of various IS resources (machine time, peripherals,
system software and labour) along with the impact on its computing
environment.

Need for Audit of IS

Factors influencing an organization toward controls and audit of computers and the impact of the ISs
audit function on organizations are depicted in the Fig.

Impact of Controls and Audit influencing an Organization

Let us now discuss these reasons in details:
Organizational Costs of Data Data is a critical resource of an organisation for its present and
Loss: future process and its ability to adapt and survive in a changing
environment.
Cost of Incorrect Decision Management and operational controls taken by managers involve
Making: detection, investigations and correction of the processes. These
high-level decisions require accurate data to make quality decision
rules.
Costs of Computer Abuse: Unauthorized access to computer systems, malwares, unauthorized
physical access to computer facilities and unauthorized copies of
sensitive data can lead to destruction of assets (hardware,
software, data, information etc.)
Value of Computer Hardware, These are critical resources of an organisation, which has a
Software and Personnel: credible impact on its infrastructure and business competitiveness.
High Costs of Computer Error: In a computerized enterprise environment where many critical
 business processes are performed, a data error during entry or
process would cause great damage.
Maintenance of Privacy: Today, data collected in a business process contains private
information about an individual too. These data were also collected
before computers but now, there is a fear that privacy has eroded
beyond acceptable levels.
Controlled evolution of Use of Technology and reliability of complex computer systems
computer Use: cannot be guaranteed and the consequences of using unreliable
systems can be destructive.

Tools for IS Audit

Today, organizations produce information on a real-time, online basis. Real-time recordings need real-
time auditing to provide continuous assurance about the quality of the data that is continuous
auditing. Continuous auditing enables auditors to significantly reduce and perhaps to eliminate the
time between occurrence of the client’s events and the auditor’s assurance services thereon. Errors in
a computerized system are generated at high speeds and the cost to correct and rerun programs are
high. If these errors can be detected and corrected at the point or closest to the point of their
occurrence the impact thereof would be the least. Continuous auditing techniques use two bases for
collecting audit evidence. One is the use of embedded modules in the system to collect, process, and
print audit evidence and the other is special audit records used to store the audit evidence collected.
Types of Audit Tools: Different types of continuous audit techniques may be used. Some modules for
obtaining data, audit trails and evidences may be built into the programs. Audit software is available,
which could be used for selecting and testing data. Many audit tools are also available; some of them
are described below:

(i) Snapshots:
- Tracing a transaction is a computerized system can be performed with the help of snapshots or
extended records.
- The snapshot software is built into the system at those points where material processing occurs
which takes images of the flow of any transaction as it moves through the application.
- These images can be utilized to assess the authenticity, accuracy, and completeness of the
processing carried out on the transaction.
- The main areas to stay upon while involving such a system are to
o locate the snapshot points based on materiality of transactions,
o when the snapshot will be captured and
o the reporting system design and implementation to present data in a meaningful way.
(ii) Integrated Test Facility (ITF):
- The ITF technique involves the creation of a dummy entity in the application system files and
the processing of audit test data against the entity as a means of verifying processing
authenticity, accuracy, and completeness.
- This test data would be included with the normal production data used as input to the
application system.
- In such cases the auditor must decide what would be the method to be used to enter test data
and the methodology for removal of the effects of the ITF transactions.
(iii) System Control Audit Review File (SCARF):
- The SCARF technique involves embedding audit software modules within a host application
system to provide continuous monitoring of the system’s transactions.
 - The information collected is written onto a special audit file- the SCARF master files.
- Auditors then examine the information contained on this file to see if some aspect of the
application system needs follow-up.
- In many ways, the SCARF technique is like the snapshot technique along with other data
collection capabilities.
(iv) Continuous and Intermittent Simulation (CIS):
- This is a variation of the SCARF continuous audit technique. This technique can be used to trap
exceptions whenever the application system uses a database management system. During
application system processing, CIS executes in the following way:
 The database management system reads an application system transaction. It is passed to
CIS. CIS then determines whether it wants to examine the transaction further. If yes, the
next steps are performed or otherwise it waits to receive further data from the database
management system.
 CIS replicates or simulates the application system processing.
 Every update to the database that arises from processing the selected transaction will be
checked by CIS to determine whether discrepancies exist between the results it produces
and those the application system produces.
 Exceptions identified by CIS are written to a exception log file.
 The advantage of CIS is that it does not require modifications to the application system and
yet provides an online auditing capability.
(v) Audit Hooks:
- There are audit routines that flag suspicious transactions.
For example, internal auditors at Insurance Company determined that their policyholder system
was vulnerable to fraud every time a policyholder changed his or her name or address and then
subsequently withdrew funds from the policy. They devised a system of audit hooks to tag
records with a name or address change. The internal audit department will investigate these
tagged records for detecting fraud. When audit hooks are employed, auditors can be informed
of questionable transactions as soon as they occur. This approach of real-time notification
displays a message on the auditors terminal.

AUDIT TRAIL
Audit Trails are logs that can be designed to record activity at the system, application, and user level.
When properly implemented, audit trails provide an important detective control to help accomplish
security policy objectives. Many operating systems allow management to select the level of auditing to
be provided by the system. This determines 'which events will be recorded in the log6. An effective
audit policy will capture all significant events without cluttering the log with trivial activity.
Audit trail controls attempt to ensure that a chronological record of all events that have occurred in a
system is maintained. This record is needed to answer queries, fulfill statutory requirements, detect
the consequences of error and allow system monitoring and tuning.
 The Accounting Audit Trail shows the source and nature of data and processes that update the
database.
 The Operations Audit Trail maintains a record of attempted or actual resource consumption within
a system.
Applications System Controls involve ensuring that individual application systems safeguard assets
(reducing expected losses), maintain data integrity (ensuring complete, accurate and authorized data)
and achieve objectives effectively and efficiently from the perspective of users of the system from
within and outside the organization.
(i) Audit Trail Objectives: Audit trails can be used to support security objectives in three ways:
Detecting Detecting unauthorized access can occur in real time or after the fact.
Unauthorized Access:
The primary objective of real-time detection is to protect the system from
outsiders who are attempting to breach system controls. A real-time audit
trail can also be used to report on changes in system performance that may
indicate infestation by a virus or worm. Depending upon how much activity is being
logged and reviewed; real-time detection can impose a significant overhead
on the operating system, which can degrade operational performance.

After-the-fact detections are logs can be stored electronically and

reviewed periodically or as needed. When properly designed, they can be
used to determine if unauthorized access was accomplished, or
attempted and failed.
Reconstructing Audit analysis can be used to reconstruct the steps that led to any events
Events: such as system failures, security violations by individuals, or application
processing errors.
Knowledge of the conditions that existed at the time of a system failure
can be used to assign responsibility and to avoid similar situations in the
future.
Audit trail analysis also plays an important role in accounting control. For
example, by maintaining a record of all changes to account balances, the
audit trail can be used to reconstruct accounting data files that were
corrupted by a system failure.
Personal Audit trails can be used to monitor user activity at the lowest level of
Accountability: detail.

This capability is a preventive control that can be used to influence

behavior of individuals.

Individuals are likely to violate an organization’s security policy if they

know that their actions are not recorded in an audit log.
(ii) Implementing an Audit Trail: The information contained in audit logs is useful to accountants in
measuring the potential damage and financial loss associated with application errors, abuse of
authority, or unauthorized access by outside intruders. Logs also provide valuable evidence or
assessing both the adequacies of controls in place and the need for additional controls. Audit logs,
however, can generate data in overwhelming detail. Important information can easily get lost
among the superfluous detail of daily operation. Thus, poorly designed logs can be dysfunctional.

Auditing Environmental Controls

Related aspects are given as follows:
(a) Role of Auditor in Auditing Environmental Controls: The attack on the World Trade Centre in 2001
has created a worldwide alert bringing focus on BCP and environmental controls. Audit of
environmental controls is a critical part of every IS audit plan. The IS auditor should satisfy not only
the effectiveness of various technical controls but also the overall controls safeguarding the
business against environmental risks. Some of the critical audit considerations that an IS auditor
should consider while conducting his/her audit is given below:
(b) Audit of Environmental Controls: Audit of environmental controls requires the IS auditor to
conduct physical inspections and observe practices. Auditing environmental controls requires
knowledge of building mechanical and electrical systems as well as fire codes. The IS auditor needs
 to be able to determine if such controls are effective and if they are cost-effective.
Auditing environmental controls requires attention to these and other factors and activities,
including:
Power conditioning: The IS auditor should determine how frequently power conditioning
equipment, such as UPS, line conditioners, surge protectors, or motor
generators, are used, inspected and maintained and if this is performed
by qualified personnel.
Backup power: The IS auditor should determine if backup power is available via electric
generators or UPS and how frequently they are tested. He or she should
examine maintenance records to see how frequently these components
are maintained and if this is done by qualified personnel.
Heating, Ventilation, The IS auditor should determine if HVAC systems are providing
and Air Conditioning adequate temperature and humidity levels, and if they are monitored.
(HVAC): Also, the auditor should determine if HVAC systems are properly
maintained and if qualified persons do this.
Water detection: The IS auditor should determine if any water detectors are used in rooms
where computers are used. He or she should determine how frequently
these are tested and if they are monitored.
Fire detection and The IS auditor should determine if fire detection equipment is adequate, if
suppression: staff members understand their function, and if they are tested. 9e or
she should determine how frequently fire suppression systems are
inspected and tested, and if the organization has emergency evacuation
plans and conducts fire drills.
Cleanliness: The IS auditor should examine data centers to see how clean they are. IT
equipment air filters and the inside of some IT components should be
examined to see if there is an accumulation of dust and dirt.

Auditing Physical Security Controls

(a) Role of IS Auditor in Auditing Physical Access Controls:
Auditing physical access requires the auditor to review the physical access risk and controls to form
an opinion on the effectiveness of the physical access controls. This involves the following:
Risk Assessment: The auditor must satisfy him/herself that the risk assessment procedure
adequately covers periodic and timely assessment of all assets, physical
access threats, vulnerabilities of safeguards and exposures there from.
Controls Assessment: The auditor based on the risk profile evaluates whether the physical
access controls are in place and adequate to protect the IS assets against
the risks.
Review of It requires examination of relevant documentation such as the security
Documents: policy and procedures, premises plans, building plans, inventory list and
cabling diagrams.

(b) Audit of Physical Access Controls: Auditing physical security controls requires knowledge of natural
and manmade hazards, physical security controls, and access control systems.
(i) Siting and Marking: Auditing building siting and marking requires attention to several key
factors and features, including:
Proximity to hazards: The IS auditor should estimate the building’s distance to natural and
manmade hazards, such as Dams; rivers, lakes, and canals; natural gas
and petroleum pipelines; Water mains and pipelines; earthquake faults;
Areas prone to landslides; Volcanoes; Severe weather such as
hurricanes, cyclones, and tornadoes; Flood zones; Military bases;
Airports; railroads. The IS auditor should determine if any risk
 assessment regarding hazards has been performed and if any
compensating controls that were recommended have been carried out.
Marking: The IS auditor should inspect the building and surrounding area to see if
building(s) containing information processing equipment identify the
organization. Marking may be visible on the building itself, but also on
signs or parking stickers on vehicles.

(ii) Physical barriers: This includes fencing, walls, and gates. The IS auditor needs to understand
how these are used to control access to the facility and determine their effectiveness.
(iii) Surveillance: The IS auditor needs to understand how video and human surveillance are used
to control and monitor access. He or she needs to understand how (and if) video is recorded and
reviewed, and if it is effective in preventing or detecting incidents.
(iv) Guards and dogs: The IS auditor needs to understand the use and effectiveness of security
guards and guard dogs. Processes, policies, procedures, and records should be examined to
understand required activities and how they are carried out.
(v) Key-Card systems: The IS auditor needs to understand how key-card systems are used to
control access to the facility. Some points to consider include: Work zones: Whether the facility
is divided into security zones and which persons are permitted to access which zones whether
key-card systems record personnel movement; what processes and procedures are used to
issue key-cards to employees? etc.

Auditing Logical Access Controls

(a) Role of IS Auditor in Auditing Logical Access Controls
Auditing Logical Access Controls requires attention to several key areas that include the following:
(i) Network Access Paths: The IS auditor should conduct an independent review of the IT
infrastructure to map out the organization’s logical access paths. This will require considerable
effort and may require the use of investigative and technical tools, as well as specialized experts on
IT network architecture.
(ii) Documentation: The IS auditor should request network architecture and access documentation to
compare what was discovered independently against existing documentation. The auditor will
need to determine why any discrepancies exist. Similar investigations should take place for each
application to determine all of the documented and undocumented access paths to functions and
data.
(b) Audit of Logical Access Controls
(I) User Access Controls: User access controls are often the only barrier between unauthorized
parties and sensitive or valuable information. This makes the audit of user access controls
particularly significant. Auditing user access controls requires keen attention to several key factors
and activities in four areas:
(i) Auditing User Access Controls: These are to determine if the controls them- selves work as
designed. Auditing user access controls requires attention to several factors, including:
Authentication: The auditor should examine
- network and system resources to determine if they require
authentication, or whether any resources can be accessed without
authentication.
Access violations: The auditor should determine
- if systems, networks, and authentication mechanisms can log access
violations.
These usually exist in the form of system logs showing invalid login attempts,
 which may indicate intruders who are trying to log in to employee user
accounts.
User account The auditor should determine
lockout: if systems and networks can automatically lock user accounts that are
-
the target of attacks.
A typical system configuration is one that will lock a user account after five
unsuccessful logins attempts within a short period.
Intrusion The auditor should determine
detection and - if there are any IDSs or IPSs that would detect authentication-bypass
prevention: attempts.
- The auditor should examine these systems to see whether they have up-
to-date configurations and signatures,
- whether they generate alerts, and
- whether the recipients of alerts act upon them.
Dormant The IS auditor should determine
accounts: if any automated or manual process exists to identify and close dormant
-
accounts.
Dormant accounts are user accounts that exist but are unused. These
accounts represent a risk to the environment, as they represent an additional
path between intruders and valuable data.
Shared accounts: The IS auditor should determine
- if there are any shared user accounts;
These are user accounts that are frequently used by more than one person.
The principal risk with shared accounts is the inability to determine
accountability for actions performed with the account.
System accounts: - The IS auditor should identify all system-level accounts on networks,
systems, and applications.
The auditor should determine
- The purpose of each system account and if each system account is still
required.
- who has the password for each system account,
- whether accesses by system accounts are logged, and
- who monitors those logs.

(ii) Auditing Password Management: The IS auditor needs to examine password configuration settings
on IS to determine how passwords are controlled. Some of the areas requiring examination are-
how many characters must a password have and whether there is a maximum length; how
frequently must passwords be changed; whether former passwords may be used again; whether
the password is displayed when logging in or when creating a new password etc.
(iii) Auditing User Access Provisioning: Auditing the user access provisioning process requires
attention to several key activities, including:
Access request The IS auditor should identify
processes: - all user access request processes and
- determine if these processes are used consistently throughout the
organization.
Access approvals: The IS auditor needs to determine
 - how requests are approved and
- by what authority they are approved.
- if system owners approve access requests, or if any accesses are ever
denied.
New employee The IS auditor should examine
provisioning: - the new employee provisioning process to see how a new employee’s
user accounts are initially set up.
- if new employees’ managers are aware of the access requests that their
employees are given and if they are excessive.
Segregation of The IS auditor should determine
Duties (SOD): - if the organization makes any effort to identify segregation of duties.
- This may include whether there are any SOD matrices in existence and if
they are actively used.
Access reviews: The IS auditor should determine
- if there are any periodic access reviews and
- what aspects of user accounts are reviewed;
- this may include termination reviews, internal transfer reviews, SOD
reviews, and dormant account reviews.

(iv) Auditing Employee Terminations: Auditing employee terminations requires attention to several
key factors, including:
Termination The IS auditor should examine
process: - the employee termination process and
- determine its effectiveness.
- This examination should include understanding on how terminations are
performed and
- how user account management personnel are notified of terminations.
Access reviews: The IS auditor should determine
- if any internal reviews of terminated accounts are performed, which
would indicate a pattern of concern for effectiveness in this important
activity.
- If such reviews are performed, if any missed terminations are identified
and if any process improvements are undertaken.
Contractor access The IS auditor needs to determine
and - how contractor access and termination is managed and if such
terminations: management is effective.
(II) User Access Logs: The IS auditor needs to determine what events are recorded in access logs. The
IS auditor needs to understand the capabilities of the system being audited and determine if the
right events are being logged, or if logging is suppressed on events that should be logged.
Centralized The IS auditor should determine
access logs: - if the organization’s access logs are aggregated or
- if they are stored on individual systems.
Access log The auditor needs to determine
protection: - if access logs can be attacked to cause the system to stop logging events.
 - For especially high-sensitivity environments, determine if logs should be
written to permanent digital media that is unalterable.
Access log The IS auditor needs to determine
review: - if there are policies, processes, or procedures regarding access log
review.
- The auditor should determine if access log reviews take place, who
performs them, how issues requiring attention are identified, and what
actions are taken when necessary.
Access log The IS auditor should determine
retention: - how long access logs are retained by the organization and if they are back
up.
(III) Investigative Procedures: Auditing investigative procedures requires attention to several key
activities, including:
Investigation The IS auditor should determine
policies and - if there are any policies or procedures regarding security investigations.
procedures:
- This would include who is responsible for performing investigations,
where information about investigations is stored, and to whom the
results of investigations are reported.
Computer crime The IS auditor should determine
investigations: - if there are policies, procedures, are framed regarding computer crime
investigations.
- The auditor should understand how internal investigations are carried
out to law enforcement.
Computer The IS auditor should determine
forensics: - if there are procedures for conducting computer forensics.
- Also identify tools and techniques available to the organization for the
acquisition and custody of forensic data.
- whether any employees have received computer forensics training and
are qualified to perform such investigations.

(IV) Internet Points of Presence: The IS auditor who is performing a comprehensive audit of an
organization’s system and network system needs to perform a ‘points of presence” audit to discover
what technical information is available about the organization’s Internet presence. Some of the
aspects of this intelligence gathering include:
Search engines: - Google, Yahoo!, and other search engines should be consulted to see
what information about the organization is available.
- Searches should include the names of company officers and management,
key technologists, and any internal information such as the names of
projects.
Social networking - Social networking sites such as Face book, LinkedIn, Myspace, and Twitter
sites: should be searched to see what employees, former employees, and
others are saying about the organization.
- Any authorized or unauthorized ‘fan pages’ should be searched as well.
Online sales sites: - Sites such as Craigslist and eBay should be searched to see if anything
related to the organization is sold online.
Domain names: - The IS auditor should verify contact information for known domain
 names, as well as related domain names.
- For example, for the organization mycompany.com; organizations should
search for domain names such as mycompany.net, mycompany.info, and
mycompany.biz to see if they are registered and what contents are
available.
Justification of - The IS auditor should examine business records to determine on what basis
Online Presence: the organization established online capabilities such as e-mail, Internet-
facing web sites, Internet e-commerce, Internet access for employees,
and so on.
- These services add risk to the business and consume resources.
- The auditor should determine if a viable business case exists to support
these services or if they exist as a ‘benefit’ for employees.

Managerial Controls and their Audit Trails

The auditors play a vital role in evaluating the performance of various controls under managerial
controls. Some of the key areas that auditors should pay attention to while evaluating Managerial
controls and its types are provided below:

Top Mgt and IS Management Controls

The major activities that senior mgt must perform are – Planning, Organizing, Controlling. The Role of
auditor at each activity is discussed below:
Planning: Auditors need to evaluate
- whether top mgt has formulated a high-quality IS plan that is appropriate
to the needs of an organization or not.
- A poor-quality IS is ineffective and inefficient leading to losing of its
competitive position within the marketplace.
Organizing: Auditors should be concerned about
- how well top mgt acquires and manages staff resources.
Leading: Generally, the auditors examine variables that often indicate when
motivation problems exist or suggest poor leadership –
For example, staff turnover statistics, and staff absenteeism level to evaluate
the leading function.
Auditors may use both formal and informal sources of evidence to evaluate
how well top managers’ communicate with their staff.
Controlling: Auditors should focus on control activities that should be performed by top
management – namely, those aimed at ensuring that the information systems
function accomplishes its objectives at a global level.
Auditors must evaluate whether top mgt’s choice of control likely to be
effective or not.

System Development Mgt Controls

Three different types of audits may be conducted during system development process as discussed in
the Table.
Different types of Audit during System Development Process
Concurrent Audit - Auditors are members of the SD team.
 - They assist the team in improving the quality of system development for
the specific system they are building and implementing.
Post- - Auditors help an organization learn from its experiences in the
implementation development of a specific application system.
Audit
- In addition, they might be evaluating whether the system needs to be
scrapped, continued, or modified in some way.
General Audit - Auditors evaluate overall SD controls overall.
- They seek to determine whether they can reduce the extent of substantive
testing needed to form an audit opinion about management’s assertions
relating to the financial statements for systems effectiveness and
efficiency.

An external auditor is more likely to undertake general audits rather than concurrent or post-
implementation audits of the systems development process. For internal auditors, mgt might require
that they participate in the development of material application systems or undertake post-
implementation reviews of material application systems as a matter of course.

Programming Mgt. Controls

Some of the major concerns that an auditor should address under different activities involved in
Programming Mgt Control Phase are provided in Table as under:

Audit Trails under Programming Mgt. Controls

Phase Audit Trails
Planning  They should evaluate whether the nature of and extent of planning are
appropriate to the different types of software (that are developed or acquired).
 They must evaluate how well the planning work is being undertaken.
Control  They must evaluate whether the nature of and extent of control activities
undertaken are appropriate for the different types of software (that are
developed or acquired.)
 They must gather evidence on reliability of control procedures.
For example – they might first choose a sample of past and current software
development and acquisition projects carried out at different locations in the
organization they are auditing.
Design  Auditors should find out whether programmers use some type of systematic
approach to design.
 Auditors can obtain evidence of the design practices used by undertaking
I/O/RD.
Coding  Auditors should seek evidence -
o On the level of care exercised by programming mgt in choosing a module
implementation and integration strategy.
o To determine whether programming mgt ensures that programmers follow
structured programming conventions.
o To check whether programmers employ automated facilities to assist them
with their coding work.
Testing  Auditors can use interviews, observations, and examination of documentation to
 evaluate how well unit testing is conducted.
 Auditors are most likely concerned primarily with the quality of integration
testing work carried out by IS professionals rather than end users.
 Auditor’s primary concern is to see that whole-of-program tests have been
undertaken for all material programs and that these tests have been well-
designed and executed.
Operation and  Auditors need to ensure effectively and timely reporting of maintenance needs
Maintenance occurs and maintenance is carried out in a well-controlled manner.
 Auditors should ensure that mgt has implemented a review system and assigned
responsibility for monitoring the status of operational programs.

Data Resource Mgt Controls

 Auditors should determine what controls are exercised to maintain data integrity. They might
also interview database users to determine their level of awareness of these controls.
 Auditors might employ test data to evaluate whether access controls and update controls are
working.

Quality Assurance Mgt Controls

 Auditors might use I/O/RD to evaluate
o how well QA personnel - perform their monitoring role.
o how well QA personnel - make recommendations for improved standards/processes.
o how well QA personnel - undertake the reporting function/training .
Security Mgt Controls
 Auditors must evaluate whether
o security administrators are conducting ongoing, high-quality security reviews or not;
o organizations have appropriate, high-quality DRP in place; and
o organizations have opted for an appropriate insurance plan or not.
Operations Mgt [OM] Controls
 Auditors should pay concern to see whether the documentation is maintained securely and
that it is issued only to authorized personnel.
 Auditors can use I/O/RD to evaluate –
o The activities of documentation librarians;
o How well OM undertakes the capacity planning ad performance monitoring function;
o The reliability of outsourcing vendor controls;
o Whether OM is monitoring compliance with the outsourcing contract; and
o Whether OM evaluate the financial viability of any outsourcing vendors.
Short cut used:
Interviews, observations and reviews of documentation = I/O/RD
Quality Assurance = QA
The auditors play a vital role in evaluating the performance of various controls under managerial
controls. Some of the key areas that auditors should pay attention to while evaluating Managerial
controls and its types are provided below:

Application Controls and their Audit Trails

Audit Trail Controls: Two types of audit trails that should exist in each subsystem are as follows:
 An Accounting Audit Trail to maintain a record of events within the subsystem; and
 An Operations Audit Trail to maintain a record of the resource consumption associated with each
event in the subsystem.
We shall now discuss Audit Trails for Application Controls in detail.
Boundary controls:
The boundary subsystem establishes the interface between the would-be user of a computer system &
the computer system itself. The system must ensure it has on authentic user. Uses allowed using
resources in restricted ways. For example when customer walks up to an ATM, inserts a debit or credit
card & keys in a PIN, the boundary subsystem is in operation.
This maintains the chronology of events that occur when a user attempts to gain access to and employ
systems resources.
Accounting audit trail : Operations Audit Trail :
 Identity of the would-be user of the  Resource usage from log-on to log-out time.
system.  Log of Resource consumption.
 Authentication information supplied:
 Resources requested.
 Action privileges requested:
 Terminal identifier.
 Start and Finish Time:
 Number of Sign-on attempts.
 Resources provided/denied; and
 Action privileges allowed/denied

Input controls:
Input controls are validation and error detection of data input into the system.
This maintains the chronology of events from the time data are captured and entered into an
application system until the time they are deemed valid and passed onto other subsystems.
Accounting audit trail : Operations Audit Trail :
 Identity of the person (organization) who was  Time to key in a source document at a
the source of the data; terminal
 Identity of the person (organization) who  Number of read errors made by an optical
entered the data into the system: scanning device.
 Time and date when the data was captured;  Number of keying errors identified during
 Physical device used to enter the data into the verification;
system.  Frequency with which an instruction in a
 Account or record to be updated by the command language is used and
transaction.  Time taken to invoke an instruction using A
 Standing data to be updated by the light pen versus a mouse
transaction and
 Details of the transaction

Communication Control :
They are responsible for controls over physical components communication line errors, flows, and
links topological controls, controls over subversive attacks etc.
This maintains a chronology of the events from the time a sender dispatches a message to the time a
receiver obtains the message.
Accounting audit trail : Operations Audit Trail :
 Unique identifier of the source/sink node.  Number of messages that have traversed
 Unique identifier of each node that traverses each link and each node
the message:; Person or process authorizing  Queue lengths at each node; Number of
dispatch of the message; Time and date at errors occurring; Number of retransmissions ;
which the message was dispatched; Log of errors to identity locations and
 Time and date at which the message was patterns of errors:
received by the sink node:  Log of system restarts; and
 Time and date at which node was traversed by  Massage transit times
the message; and
 Message sequence number and the image of
the message received at each node traversed.

Processing Control:
They are responsible for computing sorting classifying and summarizing data. The audit trail maintains
the chronology of events from the time data is received from the input or communication subsystem
to the time data is dispatched to the database communication, or output subsystems
Accounting audit Trails : Operations Audit Trail:
 To trace and replicate the processing  A comprehensive log on hardware
performed on a data item. consumption: CPU time used, secondary
 Triggered transactions to monitor input data storage space used and communication
entry, intermediate results and output data facilities used.
operations  A comprehensive log on software
consumption: compilers used, subroutine
libraries used, file management facilities
used, and communication software used.

Output Controls:
They provide functions that determine the data content, data format, timeliness of data and how data
is prepared and routed to users.
The audit trail maintains the chronology of events that occur from the time the content of the output
is determined until the time users complete their disposal of output.
Accounting Audit Trail: Operations Audit Trail :
 What output was presented to users?  To maintain the record of resources
 Who received the output consumed: graphs, images, report pages,
 When the output was received; and printing time and display rate to produce the
 What actions were taken with the output? various outputs

Database controls:
They provide functions to define, create modify, delete and read data in an IS.
The audit trail maintains the chronology of events that occur either to the database definition or the
database itself.
Accounting Audit Trail: Operations Audit Trail :
 To attach a unique time stamp to all  To maintain a chronology of resource
transactions, consumption events that effects the
 To attach before images and afterimages of database
the data item on which a transaction is applied
to the audit trail and
 Any modifications or corrections to audit trail
transactions accommodating the changes that
occur within an application system.

ORGANIZATION STRUCTURE AND RESPONSIBILITY

Organizations require structure to distribute responsibility to groups of people with specific skills and
knowledge. The structure of an organization is called an organization chart (org chart).Organizing and
maintaining an organization structure requires that many factors be considered. In most organizations,
the organization chart is a living structure that changes frequently, based upon several conditions
including the following:

Organization Structure – Example

Short and long-term objectives: Organizations sometimes move departments from one executive to
another so that departments that were once far from each other (in terms of the org chart structure)
will be near each other. This provides new opportunities for developing synergies and partnerships that
did not exist before the reorganization (reorg). These organizational changes are usually performed to
help an organization meet new objectives that require new partnerships and teamwork that were less
important before.
Market conditions: Changes in market positions can cause an organization to realign its internal
structure in order to strengthen itself. For example, if a competitor lowers its
prices based on a new sourcing strategy, an organization may need to respond
by changing its organizational structure to put experienced executives in charge
of specific activities.
Regulation: New regulations may induce an organization to change its organizational
structure. For instance, an organization that becomes highly regulated may
elect to move its security and compliance group away from IT and place it under
the legal department, since compliance has much more to do with legal
 compliance than industry standards.
Available talent: When someone leaves the organization (or moves to another position within
the organization), particularly in positions of leadership, a space opens in the
org chart that often cannot be filled right away. Instead, senior management
will temporarily change the structure of the organization by moving the
leaderless department under the control of someone else. Often, the decisions
of how to change the organization will depend upon the talent and experience
of existing leaders, in addition to each leader’s workload and other factors. For
example, if the director of IT program management leaves the organization, the
existing department could temporarily be placed under the IT operations
department, in this case because the director of IT operations used to run IT
program management. Senior management can see how that arrangement
works out and later decide whether to replace the director of IT program
management position or to do something else.

Roles and Responsibilities

The topic of roles and responsibilities is multidimensional: it encompasses positions and relationships
on the organization chart, it defines specific job titles and duties, and it denotes generic expectations
and responsibilities regarding the use and protection of assets.
Individual Roles and Responsibilities
Several roles and responsibilities fall upon all individuals throughout the organization.
Executive management: The most senior managers and executives in an organization are
responsible for developing the organization’s mission, objectives, and
goals, as well as policy. Executives are responsible for enacting security
policy, which defines (among other things0 the protection of assets.
Owner: An owner is an individual (usually but not necessarily a manager) who is the
designated owner-steward of an asset. Depending upon the organization’s
security policy, an owner may be responsible for the maintenance and
integrity of the asset, as well as for deciding who is permitted to access the
asset. If the asset is information, the owner may be responsible for
determining who may access and make changes to the information.
Manager: A manager is, in the general sense, responsible for obtaining policies and
procedures and making them available to their staff members. They should
also, to some extent, be responsible for their staff members’ behavior.
User: Users are individuals (at any level of the organization) who use assets in
the performance of their job duties. Each user is responsible for how he or
she uses the asset, and does not permit others to access the asset in his or
her name. Users are responsible for performing their duties lawfully and
for conforming to organization policies.
These generic roles and responsibilities should apply across the
organization chart to include every person in the organization.

Job Titles and Job Descriptions

A Job Title is a label that is assigned to a job description. It denotes a position in the organization that
has a given set of responsibilities, and which requires a certain level and focus of education and prior
experience.
An organization that has a program of career advancement may have a set of career paths or career
ladders that are models showing how employees may advance. For each job title, a career path will
show the possible avenues of advancement to other job titles, and the experience required to reach
those other job titles.
Job titles in IT have matured and are quite consistent across organizations. This consistency helps
organizations in several ways:
Recruiting: When the organization needs to find someone to fill an open position, the
use of standard job titles will help prospective candidates more easily find
positions that match their criteria.
Compensation base Because of the chronic shortage of talented IT workers, organizations are
lining: forced to be more competitive when trying to attract new workers. To
remain competitive, many organizations periodically undertake a regional
compensation analysis to better understand the levels of compensation
paid to IT workers in other organizations. The use of standard job titles
makes the task of comparing compensation far easier.
Career advancement: When an organization uses job titles that are consistent in the industry, IT
workers have a better understanding of the functions of positions within
their own organizations and can more easily plan how they can advance.
The remainder of this section includes many IT job titles with a short
description (not a full job description by any measure) of the function of
that position.
Virtually all organizations also include titles that denote the level of
experience, leadership, or span of control in an organization. These titles
may include executive vice president, senior vice president, vice president,
senior director, director, general manager, senior manager, manager and
supervisor. Larger organizations will use more of these, and possibly
additional titles such as district manager, group manager, or area manager.

(a) Executive Management: Executive managers are the chief leaders and policymakers in an
organization. They set objectives and work directly with the organization’s most senior
management to help make decisions affecting the future strategy of the organization.
CIO (Chief Information This is the title of the top most leader in a larger IT organization.
Officer)
CTO (Chief Technical This position is usually responsible for an organization’s overall technology
Officer) strategy. Depending upon the purpose of the organization, this position
may be separate from IT.
CSO (Chief Security This position is responsible for all aspects of security, including information
Officer) security, physical security, and possibly executive protection (protecting
the safety of senior executives).
CISO (Chief Information This position is responsible for all aspects of data-related security. This
Security Officer) usually includes incident management, disaster recovery, vulnerability
management, and compliance.
CPO (Chief Privacy This position is responsible for the protection and use of personal
Officer) information. This position is found in organizations that collect and store
sensitive information for large numbers of persons.

(b) Software Development:

Positions in software development are involved in the design, development, and testing of
software applications.
Systems Architect: This position is usually responsible for the overall ISs architecture in the
organization. This may or may not include overall data architecture as well
as interfaces to external organizations.
Systems Analyst: A systems analyst is involved with the design of applications, including
changes in an application’s original design. This position may develop
technical requirements, program design, and software test plans. In cases
 where organizations license applications developed by other companies,
systems analysts design interfaces to other applications.
Software Developer, This position develops application software. Depending upon the level of
Programmer: experience, persons in this position may also design programs or
applications. In organizations that utilize purchased application software,
developers often create custom interfaces, application customizations, and
custom reports.
Software Tester: This position tests changes in programs made by software developers.

(c) Data Management:

Positions in data management are responsible for developing and implementing database designs
and for maintaining databases.
Database Architect: This position develops logical and physical designs of data models for
applications. With sufficient experience, this person may also design an
organization’s overall data architecture.
Database Administrator This position builds and maintains databases designed by the database
(DBA): architect and those databases that are included as a part of purchased
applications. The DBA monitors databases, tunes them for performance
and efficiency, and troubleshoots problems.
Database Analyst: This position performs tasks that are junior to the database administrator,
carrying out routine data maintenance and monitoring tasks.

(d) Network Management

Positions in network management are responsible for designing, building, monitoring, and
maintaining voice and data communications networks, including connections to outside business
partners and the Internet.
Network Architect: This position designs data and (increasingly) voice networks and designs
changes and upgrades to the network as needed to meet new organization
objectives.
Network Engineer: This position builds and maintains network devices such as routers,
switches, firewalls, and gateways.
Network Administrator: This position performs routine tasks in the network such as making minor
configuration changes and monitoring event logs.
Telecom Engineer: Positions in this role work with telecommunications technologies such as
data circuits, phone systems, and voice email systems.
(e) Systems Management
Positions in systems management are responsible for architecture, design, building, and
maintenance of servers and operating systems. This may include desktop operating systems as well.
Systems Architect: This position is responsible for the overall architecture of systems (usually
servers), both in terms of the internal architecture of a system, as well as
the relationship between systems. This position is usually also responsible
for the design of services such as authentication, e-mail.
Systems Engineer: This position is responsible for designing, building, and maintaining servers
and server operating systems.
Storage Engineer: This position is responsible for designing, building, and maintaining storage
subsystems.
Systems Administrator: This position is responsible for performing maintenance and configuration
operations on systems.

(f) General Operations

 Positions in operations are responsible for day-to-day operational tasks that may include networks,
servers, databases, and applications.
Operations Manager: This position is responsible for overall operations that are carried out by
others. Responsibilities will include establishing operations shift schedules.
Operations Analyst: This position may be responsible for the development of operational
procedures; examining the health of networks, systems, and databases;
setting and monitoring the operations schedule; and maintaining
operations records.
Controls Analyst: This position is responsible for monitoring batch jobs, data entry work, and
other tasks to make sure that they are operating correctly.
Systems Operator: This position is responsible for monitoring systems and networks,
performing backup tasks, running batch jobs, printing reports, and other
operational tasks.
Data Entry: This position is responsible for keying batches of data from hard copy
sources.
Media Librarian: This position is responsible for maintaining and tracking the use and
whereabouts of backup tapes and other media.

(g) Security Operations

Positions in security operations are responsible for designing, building, and monitoring security
systems and security controls, to ensure the confidentiality, integrity, and availability of ISs.
Security Architect: This position is responsible for the design of security controls and systems
such as authentication, audit logging, intrusion detection systems,
intrusion prevention systems, and firewalls.
Security Engineer: This position is responsible for designing, building, and maintaining
security services and systems that are designed by the security architect.
Security Analyst: This position is responsible for examining logs from firewalls, intrusion
detection systems, and audit logs from systems and applications. This
position may also be responsible for issuing security advisories to others in
IT.
User Account This position is responsible for accepting approved requests for user access
Management: management changes and performing the necessary changes at the
network, system, database, or application level. Often this position is
carried out by personnel in network and systems management functions;
only in larger organizations is user account management performed in
security or even in a separate user access department.
Security Auditor: This position is responsible for performing internal audits of IT controls to
ensure that they are being operated properly.

(h) Service Desk

Positions at the service desk are responsible for providing front line support services to IT and its
customers.
 Help desk Analyst: This position is responsible for providing front line user support services to
personnel in the organization.
 Technical Support Analyst: This position is responsible for providing technical support services
to other IT personnel, and perhaps also to IT customers.

SEGREGATION OF DUTIES
ISs often process large volumes of information that is sometimes highly valuable or sensitive.
Measures need to be taken in IT organizations to ensure that individuals do not possess sufficient
privileges to carry out potentially harmful actions on their own. Checks and balances are needed, so
that high-value and high- sensitivity activities involve the coordination of two or more authorized
individuals. The concept of Segregation of Duties (SOD), also known as separation of duties, ensures
that single individuals do not possess excess privileges that could result in unauthorized activities such
as fraud or the manipulation or exposure of sensitive data.

The concept of segregation of duties has been long-established in organization accounting

departments where, for instance, separate individuals or groups are responsible for the creation of
vendors, the request for payments, and the printing of checks. Since accounting personnel frequently
handle checks and currency, the principles and practices of segregation of duties controls in
accounting departments are the norm.
Segregation of Duties Controls
Preventive and detective controls should be put into place to manage segregation of duties matters. In
most organizations, both the preventive and detective controls will be manual, particularly when it
comes to unwanted combinations of access between different applications. However, in some
transaction-related situations, controls can be automated, although they may still require intervention
by others.
Some Examples of Segregation of Duties Controls
Transaction ISs can be programmed or configured to require two (or more persons to
Authorization: approve certain transactions. Many of us see this in retail establishments
where a manager is required to approve a large transaction or a refund. In IT
applications, transactions meeting certain criteria (for example, exceeding
normally accepted limits or conditions) may require a manager’s approval to
be able to proceed.
Split custody of high- Assets of high importance or value can be protected using various means of
value assets: split custody. For example, a password to an encryption key that protects a
highly-valued asset can be split in two halves, one half assigned to two
persons, and the other half assigned to two persons, so that no single
individual knows the entire password. Banks do this for central vaults, where
a vault combination is split into two or more pieces so that two or more are
required to open it.
Work flow: Applications that are work flow-enabled can use a second (or third) level of
approval before certain high-value or high-sensitivity activities can take
place. For example, a workflow application that is used to provision user
accounts can include extra management approval steps in requests for
administrative privileges.
Periodic reviews: IT or internal audit personnel can periodically review user access rights to
identify whether any segregation of duties issues exist. The access privileges
for each worker can be compared against a segregation of duties control
matrix.

When SOD issues are encountered during a segregation of duties review, management will need to
decide how to mitigate the matter. The choices for mitigating a SOD issue include
• Reduce access privileges: Management can reduce individual user privileges so that the conflict no
longer exists.
• Introduce a new mitigating control: If management has determined that the person(s) need to
retain privileges that are viewed as a conflict, then new preventive or detective controls need to be
introduced that will prevent or detect unwanted activities.
Examples of mitigating controls include increased logging to record the actions of personnel,
improved exception reporting to identify possible issues, reconciliations of data sets, and external
reviews of high-risk controls.